Hello from Egypt
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.
The story started while searching in below domain: http://innovationjockeys.yahoo.net/
while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.
I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!
f_id=-9631′ OR (2777=2777)#
[*] innovation******* #Hiding dbnames for Yahoo privacy.
Good, now I’ve a SQL Injection and I can read data as well,
Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!
1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/
2- I found the Administrator Password stored in the database and it was encoded as Base64
Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.
Hey Admin Panel! Say Hello to my readers
Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!
That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml
instead of being page_d03b042780c5071521366edc01e52d3d.php ?!
hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:
I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go
Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,
However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!
2014-09-05 Initial report to Yahoo
2014-09-06 Yahoo confirmed the vulnerability
2014-09-07 Yahoo Fixed the Vulnerability
2014-09-19 Yahoo announced me that this vulnerability is not eligible for a reward!!!
Note: I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it fall outside the scope, Yahoo pays for Critical vulnerabilities in Out of Scope domains, if a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!
You can follow me @ Twitter.com/zigoo0