Yahoo service SQL Injection vulnerability allows Remote Code Execution

Table Of Contents

The Yahoo Services has a serious SQL Injection Flaw

Egyptian white hat ย hacker Ebrahim Hegazy has discovered a critical Yahoo SQL Injection flaw exploitable to Remote Code Execution and privilege escalation. ย Hegazy is a security expert and has been credited with discovering numerous critical flaws in Microsoft, Yahoo and Orange website.

Ebrahim had now discovered a ย flaw in the Yahoo service which allows SQL Injection. ย Once the SQL injection is initiated, the particular Yahoo service can be exploited by a potential attacker to Remote Code Execution and Escalated to Root Privilege on one of Yahoo servers.

Proof of Concept

As explained in his blog post, Ebrahim started his research with the Yahoo Service domain: https://innovationjockeys.yahoo.net/.

While examining this particular domain with ย HTTP POST requests he noticed something that could be exploited for SQL Injection attack. ย In Ebrahim’s own words,

while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.

https://innovationjockeys.net/tictac_chk_req.php
POST:
f_id=9631

After a few manual tests and with the use of SQLMap, the hacker confirmed the presence of a flaw in the Yahoo system:

https://innovationjockeys.net/tictac_chk_req.php
POST:
f_id=-9631? OR (2777=2777)#
Available Databases:
[*] information_schema
[*] innovation******* #Hiding dbnames for Yahoo privacy.
[*] web****

Ebrahim ย could read the data stored in the database with SQL Injection attack and once he got the the the administrator credentials from the database he was able to decode them despite it was encoded as Base64.

1- Admin panel found on: https://innovationjockeys.yahoo.net/admin/

2- Iย found theย Administrator Password stored in the database and it was encoded asย Base64ย :D

SQL Injection Yahoo 1

Good, Iโ€™ve decoded the Administrator Password, Loggedย in toย the Admin panel.

SQL Injection Yahoo 2

Once he had access to the admin panel, he tried to trigger a Remote Code Execution uploading his content.

โ€œThat said, Iโ€™ve foundย aย upload page, but after uploading a file with โ€œphpinfo();โ€ function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xmlย insteadย of being page_d03b042780c5071521366edc01e52d3d.php?!โ€ states Hibrahim in the blog post.

Inspecting theย uploading request, the expert discovered the cause of the problem inย the โ€œContent-Typeโ€ Header!

SQL Injection Yahoo 3

Renamingย the โ€œContent-Typeโ€ Header to be โ€œapplication/phpโ€ the problems was solved.

SQL Injection Yahoo 4

Ebrahimย submitted the Proof of Concept to Yahoo and Yahoo patched the vulnerability. ย Surprisingly, Yahoo declined to award any bounty to Ebrahim

Time-line of the vulnerability

2014-09-05 Initial report to Yahoo

2014-09-06 Yahoo confirmed the vulnerability

2014-09-07 Yahoo Fixed the Vulnerability

2014-09-19 Yahoo told Ebrahim that this vulnerability is not eligible for a reward!!!ย 

spot_img

Read More

Suggested Post