Title: Web Cookbook Multiple SQL Injection
Author: Saadat Ullah, saadi_linux@rocketmail.com
: Http://sourceforge.net/projects/webcookbook/
Home: http://security-geeks.blogspot.com/
Test System: Server: Apache/2.2.15 (Centos) PHP/5.3.3
# SQL Injection
Http: // localhost/cook/searchrecipe. php? Sstring = [SQLi]
Http://www.bkjia.com/cook/showtext. php? Mode = [SQLi]
Http: // localhost/cook/searchrecipe. php? Mode = 1 & title = [SQLi] & prefix = & preparation = & postfix = & tipp = & ingredient =
Http: // localhost/cook/showtext. php? Mode = [SQLi]
# Proof Of Concept
In showtext. php
Code:
$ Mode = $ _ GET ["mode"];
.
.
ShowText ($ mode, $ art); // sending $ mode to a function without sanitizing it
.
.
Function showText ($ kategorie, $ art ){
InitDB ();
Echo "<div class = \" rdisplay \ "> \ n ";
$ Query = "SELECT * FROM dat_texte WHERE id = $ kategorie"; // using a non sanitize field in the querry
$ Result = mysql_query ($ query );
.
.
All GET Fields Are Vuln To SQLi
Http: // localhost/cook/searchrecipe. php? Mode = 1 & title = [SQLi] & prefix = & preparation = & postfix = & tipp = & ingredient =
# P0c
In searchrecipe. php
$ Title = $ _ GET ['title'];
$ Prefix = $ _ GET ['prefix'];
$ Preparation = $ _ GET ['preparation'];
$ Postfix = $ _ GET ['postfix'];
$ Tipp = $ _ GET ['tipp '];
$ Ingredient = $ _ GET ['ingredient'];
.
.
.
If ($ title! = ""){
$ Sstring = "a. title LIKE '% $ title % '";
}
.
.
SearchRecipe ($ mode, $ sstring );
.
.
In Function SearchRecipe
$ Query = "select distinct. id,. title FROM das_rezept a, dat_ingredient B WHERE. title LIKE '% $ sstring %' OR B. description LIKE '% $ sstring %' AND. id = B. recipe order by. title ";
Http: // localhost/cook/searchrecipe. php? Sstring = [SQLi]
Test utilization:
$ Sstring = $ _ GET ['sstring'];
If ($ sstring! = ""){
SearchRecipe (0, $ sstring );
.
.
.
$ Query = "select distinct. id,. title FROM das_rezept a, dat_ingredient B WHERE. title LIKE '% $ sstring %' OR B. description LIKE '% $ sstring %' AND. id = B. recipe order by. title ";
A simple non-persistent XSS
Http://www.bkjia.com/cook/searchrecipe. php? Mode = 1 & title = <script> alert ('Hi'); </script> & prefix = & preparation = & postfix = & tipp = & ingredient =
# Independent Pakistani Security Researcher