# Exploit Title: FreiChat 9.6 SQL Injection # Date: 27-11-2014 # Software Link: http://codologic.com/page/freichat-free-php-chat-script-software # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description $_GET['time'] is not escaped. File: freichat\server\plugins\chatroom\chatroom.php $get_mesg = $this->get_messages($_GET['time']); public function get_messages($time) { $frm_id = $this->frm_id; $result = array(); if ($time == 0) { //$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time"; } else { $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time "; $result = $this->db->query($get_mesg_query)->fetchAll(); } return $result; } http://security.szurek.pl/freichat-96-sql-injection.html 2. Proof of Concept Example for WordPress integration (it will give you admin password):