Hello from Egypt 😀
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.
The story started while searching in below domain: http://innovationjockeys.yahoo.net/
while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.
I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!
f_id=-9631′ OR (2777=2777)#
[*] innovation******* #Hiding dbnames for Yahoo privacy.
Good, now I’ve a SQL Injection and I can read data as well,
Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!
1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/
2- I found the Administrator Password stored in the database and it was encoded as Base64 😀
Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.
Hey Admin Panel! Say Hello to my readers 🙂
Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!
That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml
instead of being page_d03b042780c5071521366edc01e52d3d.php ?!
hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:
I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go 😀
Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,
However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!
2014-09-05 Initial report to Yahoo
2014-09-06 Yahoo confirmed the vulnerability
2014-09-07 Yahoo Fixed the Vulnerability
2014-09-19 Yahoo announced me that this vulnerability is not eligible for a reward!!!
Note: I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it fall outside the scope, Yahoo pays for Critical vulnerabilities in Out of Scope domains, if a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!
You can follow me @ Twitter.com/zigoo0