最新消息:

SQL Injection on eBay.com.au subdomain

别人渗透网站学习 admin 1864浏览 0评论

转自:http://blog.internot.info/2014/05/sql-injection-on-ebaycomau-subdomain.html

Whilst looking for some bugs in ebay, I came across the domain http://3.ebay.com.au/. It appears to be a domain for phone users on the old “Three” phone carrier/network, but I’m unsure. Three was bought out by Vodaphone awhile ago.
The website is the exact same as http://imode.ebay.de/, http://imode.ebay.fr/, etc.
On the third tab of the page, there’s a link to the ‘Categories’ section. — If anybody has every used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)
Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, “emv_CatParent”.
To my amazement, it came back with a half-completed page. — Pretty much the poster-child of a blind SQL Injection.
I had trouble actually exploring this vulnerability, as I came to figure out that Microsoft SQL Server was being used for the backend, not a unix-based one. This created problems.
Due to my lack of MSDB knowledge, I had to load the website into sqlmap and do everything through there.
First, I scanned the parameter to see if my assumption was right.
Viola..
[INFO] GET parameter ’emv_CatParent’ is ‘Generic UNION query (NULL) – 1 to 10 columns’ injectable
Not only that, but;
[01:34:38] [INFO] GET parameter ’emv_CatParent’ seems to be ‘Microsoft SQL Server/Sybase stacked queries’ injectable
Which means possible file write/read. – I didn’t look further into this though.
I explored column names, but no further.
Here’s some screenshots:

Screenshot+from+2014-05-20+003525
‘ebayDB’ database.

 

Screenshot+from+2014-05-20+003725
Databases

 

Screenshot+from+2014-05-20+003750
Tables available in the ‘ebayDB’ database.

 

Screenshot+from+2014-05-20+004037
List of columns from the ‘payment_old’ table.

 

Screenshot+from+2014-05-20+004538
No hash for Admin user?(sa).. Uhm.. YOLO I guess.

 

Screenshot+from+2014-05-20+005254

==Timeline==
[*] Date of discovery: 19/05/2014
[*] Date of report to eBay: 19/05/2014
[*] Date of patch/deployment: 24/05/2014
[*] Public Disclosure: 25/05/2014
==Credits==
Joshua Rogers – www.internot.info (@MegaManSec)

转载请注明:jinglingshu的博客 » SQL Injection on eBay.com.au subdomain


Warning: Use of undefined constant PRC - assumed 'PRC' (this will throw an Error in a future version of PHP) in /usr/share/nginx/html/wp-content/themes/d8/comments.php on line 17
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址