Exploiting Baykus Yemek Tarifleri 2.1 SQL Injection

Exploiting Baykus Yemek Tarifleri 2.1 SQL Injection
What this paper is
This paper details a SQL Injection vulnerability found in the "Baykus Yemek Tarifleri" (Baykus Food Recipes) web application, specifically version 2.1. The vulnerability allows an attacker to manipulate database queries by injecting malicious SQL code through the id parameter in the oku.php script.
Simple technical breakdown
The web application uses PHP to interact with a MySQL database. The oku.php script retrieves recipe information based on an id provided in the URL. The vulnerability lies in how the id parameter is directly incorporated into a SQL query without proper sanitization. This allows an attacker to break out of the intended query and execute arbitrary SQL commands, potentially leading to data leakage or modification.
Complete code and payload walkthrough
The provided code snippet is from the oku.php file.
include("ayar.php"); // Includes configuration settings, likely database credentials.
$ids= $_GET["id"]; // Retrieves the 'id' parameter from the URL's GET request.
$yaz= mysql_fetch_array(mysql_query("select * from tarifler where id='$ids'")); // Executes a SQL query to select a recipe based on the provided 'id'.
mysql_select_db("yemek"); // Selects the database named "yemek".
mysql_query("SET NAMES ´latin5´"); // Sets the character set for the connection to 'latin5'.
mysql_query("SET CHARACTER SET latin5"); // Sets the character set for the connection to 'latin5'.
$baslik= $yaz["baslik"]; // Extracts the 'baslik' (title) from the query result.
$resim = $yaz['resim']; // Extracts the 'resim' (image) from the query result.
if($resim==""){ // Checks if the 'resim' field is empty.
$resim= "bos.png"; // If empty, sets a default image.
}
$kisa= $yaz["kisa"]; // Extracts the 'kisa' (short description) from the query result.
$tarif= $yaz["metin"]; // Extracts the 'metin' (recipe text) from the query result.Code Fragment/Block -> Practical Purpose Mapping:
include("ayar.php");-> Configuration Loading: Loads database connection details and other settings.$ids= $_GET["id"];-> Input Acquisition: Gets the user-suppliedidfrom the URL. This is the injection point.mysql_query("select * from tarifler where id='$ids'");-> Vulnerable Query Construction: This is the core of the vulnerability. The$idsvariable is directly concatenated into the SQL string, allowing for SQL injection.mysql_fetch_array(...)-> Result Retrieval: Fetches the data returned by the SQL query.mysql_select_db("yemek");-> Database Selection: Explicitly chooses the "yemek" database.mysql_query("SET NAMES ´latin5´");andmysql_query("SET CHARACTER SET latin5");-> Character Set Configuration: Configures the database connection's character encoding. While not directly part of the exploit, it's relevant for understanding the environment.$baslik = $yaz["baslik"];etc. -> Data Extraction: Assigns retrieved database fields to PHP variables for display.
Payload/Shellcode Explanation:
This paper does not contain explicit shellcode or a binary payload. The "payload" in this context refers to the crafted SQL injection string that is appended to the id parameter in the URL.
Example of a malicious id parameter (SQL Injection Payload):
[path]/oku.php?id=1' OR '1'='1
1: This is the original, intended ID.': This single quote closes the string literal for theidin the original query (where id='$ids').OR '1'='1: This is a condition that is always true. When appended to the original query, it effectively becomes:select * from tarifler where id='1' OR '1'='1'
This modified query will return all rows from thetariflertable, not just the row withid=1, because theOR '1'='1'condition is always met.
More advanced SQL injection payloads could be used to:
- Extract data from other tables: Using
UNION SELECTstatements. - Determine database structure: By querying information schema tables.
- Modify data: Using
UPDATEorDELETEstatements (though this requires specific privileges and careful crafting).
Practical details for offensive operations teams
- Required Access Level: Typically, no elevated privileges are required on the target system itself. The vulnerability is in the web application's handling of user input.
- Lab Preconditions:
- A local or accessible instance of the vulnerable "Baykus Yemek Tarifleri" application (version 2.1 or earlier).
- A running MySQL database with the "yemek" database and a "tarifler" table.
- The
ayar.phpfile should contain valid database credentials.
- Tooling Assumptions:
- Web Browser: For initial reconnaissance and manual testing.
- Proxy/Interception Tool (e.g., Burp Suite, OWASP ZAP): Essential for intercepting requests, modifying parameters, and observing responses.
- SQL Injection Tools (e.g., sqlmap): Can automate the discovery and exploitation of SQL injection vulnerabilities, including data extraction.
- Command-line tools (e.g.,
curl): For scripting and automated testing.
- Execution Pitfalls:
- Character Encoding: The
SET NAMES ´latin5´andSET CHARACTER SET latin5lines indicate the database might be configured withlatin5. Payloads might need to be encoded or crafted to work correctly with this character set, especially if special characters are involved. - Database Errors: If the web application doesn't display SQL errors to the user, it can be harder to confirm the injection and craft precise payloads. Blind SQL injection techniques might be necessary.
- Firewalls/WAFs: Web Application Firewalls (WAFs) might detect and block common SQL injection patterns. Obfuscation techniques or using less common SQL syntax might be required.
- Application Logic: The application might have checks or sanitization on the
idparameter that are not immediately obvious from this snippet. Further analysis of the full application might be needed. - Database Structure: The success of
UNION SELECTattacks depends on knowing the number of columns and data types in the target table. Initial reconnaissance is crucial.
- Character Encoding: The
- Planning Assumptions:
- The
idparameter is intended to be a numerical identifier. - The
tariflertable contains sensitive recipe information. - The database user associated with the web application has sufficient privileges to read data from the
tariflertable. - The
ayar.phpfile is accessible and contains valid database credentials.
- The
Where this was used and when
This vulnerability was published in February 2010. It targets a specific web application, "Baykus Yemek Tarifleri," which was likely in use around that time. Such vulnerabilities are common in older, unpatched web applications that do not follow secure coding practices. The context is a PHP-based recipe website.
Defensive lessons for modern teams
- Input Validation and Sanitization: Never trust user input. Always validate and sanitize all data received from external sources, especially URL parameters, form fields, and cookies.
- Parameterized Queries/Prepared Statements: Use parameterized queries (prepared statements) provided by the database driver. This separates SQL code from user-supplied data, preventing malicious input from being interpreted as SQL commands.
- Least Privilege: Ensure the database user account used by the web application has only the minimum necessary privileges. It should not have permissions to modify or delete data if its sole purpose is to read it.
- Error Handling: Configure web applications to log detailed errors internally but display generic error messages to users. Avoid revealing database structure or query details in error messages.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including SQL injection attempts.
- Regular Patching and Updates: Keep all web application software, frameworks, and database systems up-to-date with the latest security patches.
- Code Reviews and Security Audits: Conduct regular code reviews and security audits to identify vulnerabilities before they are exploited.
ASCII visual (if applicable)
+-----------------+ +-----------------+ +-----------------+
| Attacker's |----->| Web Server |----->| Database Server |
| Browser | | (oku.php) | | (MySQL) |
+-----------------+ +-----------------+ +-----------------+
^ |
| | Vulnerable SQL Query
| GET /oku.php?id=1' OR '1'='1
|----------------------|This diagram illustrates the basic flow. The attacker crafts a malicious URL, which is sent to the web server. The oku.php script on the web server then constructs a vulnerable SQL query, incorporating the malicious input directly into the query sent to the database.
Source references
- Paper ID: 11605
- Paper Title: Baykus Yemek Tarifleri 2.1 - SQL Injection
- Author: cr4wl3r
- Published: 2010-02-28
- Paper URL: https://www.exploit-db.com/papers/11605
Original Exploit-DB Content (Verbatim)
# Baykus Yemek Tarifleri <= 2.1 SQL Injection Vulnerability
# By cr4wl3r
############################################################
# Code:
include("ayar.php");
$ids= $_GET["id"];
$yaz= mysql_fetch_array(mysql_query("select * from tarifler where id='$ids'"));
mysql_select_db("yemek");
mysql_query("SET NAMES ´latin5´");
mysql_query("SET CHARACTER SET latin5");
$baslik= $yaz["baslik"];
$resim = $yaz['resim'];
if($resim==""){
$resim= "bos.png";
}
$kisa= $yaz["kisa"];
$tarif= $yaz["metin"];
############################################################
# PoC: [path]/oku.php?id=[SQL]
############################################################