[转]sqli雅虎

原文地址:http://www.sec-down.com/wordpress/?p=494
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.

The story started while searching in below domain: http://innovationjockeys.yahoo.net/

while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.

http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=9631

I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!

http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=-9631′ OR (2777=2777)#

Available Databases:
  • information_schema
  • innovation******* #Hiding dbnames for Yahoo privacy.
  • web****

  • Good, now I’ve a SQL Injection and I can read data as well,

    Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!

    1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/

    2- I found the Administrator Password stored in the database and it was encoded as Base64 

    Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.

    Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!

    That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
    I found that my uploaded file was named as: page_d03b042780c5071521366edc01 e52d3d.xrds+xml

    instead of being page_d03b042780c5071521366edc01e52d3d.php ?!

    [转]sqli雅虎_第1张图片

    hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:

    Screenshot from 2014-09-05 05:59:33Yea, now the reason is clear! it’s due to the “Content-Type” Header!

    I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go

    [转]sqli雅虎_第2张图片

    Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,

    However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!

    你可能感兴趣的:(sql)