exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

chCounter 3.1.1 SQL Injection / Cross Site Scripting

chCounter 3.1.1 SQL Injection / Cross Site Scripting
Posted Apr 30, 2010
Authored by Valentin Hoebel

chCounter version 3.1.1 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | e186b67a8dc532c2bdb00c5bf5dcdec58a950e0a58dc73659bac7daf6870b26a

chCounter 3.1.1 SQL Injection / Cross Site Scripting

Change Mirror Download
# Exploit Title: chCounter indirect SQL Injection and XSS Vulnerabilities
# Date: 29.04.2010
# Author: Valentin
# Category: webapps/0day
# Version: 3.1.1
# Tested on: Debian, Apache2, PHP5, MySQL5
# CVE :
# Code :

[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]
>> General Information
Advisory/Exploit Title = chCounter indirect SQL Injection and XSS Vulnerabilities
Author = Valentin Hoebel
Contact = valentin@xenuser.org

[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]
>> Product information
Name = chCounter
Vendors = Berti, Christoph Bachner
Vendor Website = http://chcounter.org/
Affected Version(s) = 3.1.1

chCounter is a counter tool. Simply implement the counter file into your website
and view the stats in the backend.

[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]
>> #1 Vulnerability
Type = SQL Injection

This is a very untypical SQL injection vulnerability. While viewing the details
of a website in the chCounter backend, some data gets selected out of the database.
E. g. which pages the visitor viewed, their page titles, what user agent he got etc.
The stuff gets selected and displayed directly in the admin backend.

File: administrator/visitor_details.php
Query: $result = $_CHC_DB->query(
'SELECT wert, titel FROM `'. CHC_TABLE_PAGES .'`
WHERE '. $bedingung .'

The script thrusts the common visitor. When you view a website which uses chCounter,
the title of the current page and other information gets directly written into the
table chc_pages, column "wert". When the admin views the visitor's details (which
contain the title of the visited pages) in the backend, the information is selected
directly, no filter is used.

Basically the website's visitor only has to achieve a manipulation of the current
page title.
This is very easy when you think of dynamic websites like Wordpress or Joomla.
I tested this on a Wordpress installation, so all I had to do was visiting
wordpress/index.php?s=[malicious SQL commands]

Since the parameter "s" is well known to Wordpress, the page gets displayed (in this case
also a query gets executed and the "injected" stuff gets displayed in the URL, so this
would be a second possibility to inject code) and the title now changed to something
like this:
Search Results [malicious SQL commands]

The title gets entered into the database, the admin views those details in the backend and
there it is: an SQL injection. The value of the field "wert" is used in the query I
showed earlier, so it is now:
SELECT wert [SQL Injection], titel FROM `'. CHC_TABLE_PAGES .'`
WHERE '. $bedingung .'

The newly crafted query gets executed in the admin's backend and common stuff like dropping
all tables would be possible. And the most fun part is probably that the admin is the one
"hacking" his own website without even knowing that there could be danger by viewing
simple stats.

Since the chCounter is widly spread and available for free, an attacker could
know about it's database structure.

The page title is just one example, you can also manipulate the user agent or URLs.
Unfortunately this is only an indirect SQL injection since the admin has to be active and
look at the chCounter stats in the admin panel. Still it is fun!

>> #2 Vulnerability
Type = XSS

This vulnerability is based on the SQL injection flaw I described above. "Simply" craft
an incorrect query with the XSS code in order to achieve that the admin (who views the visitor's details
in the backend) gets an SQL error.
The incorrect query gets displayed, e. g.

SELECT wert, titel FROM `chc_pages`
WHERE ( wert =[incorrect query with XSS] AND homepage_id = 1)

Error number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near [...]

The XSS code should get executed right away since it is part of the "incorrect query",
stealing the admin's cookies, redirecting him to another website or implementing
malicious external documents is possible.

[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]
>> Additional Information
Advisory/Exploit Published = 29.04.2010

Exploitation is tricky since you need to be familiar with the chCounter. If you
decide to spend some time on this you will have much fun :)

[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]
>> Misc
Greetz && Thanks = inj3ct0r team, Exploit DB, hack0wn and ExpBase!
<3 packetstormsecurity.org!

[:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By