[转]sqli雅虎

j4s0nh4ck

浏览: 285084 次

最近访客更多访客>>

XiaoPY

zhanchaomao1987

vicen888

prontosil

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

web
渗透测试

原文地址：http://www.sec-down.com/wordpress/?p=494
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.

The story started while searching in below domain: http://innovationjockeys.yahoo.net/

while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.

http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=9631

I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!

http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=-9631′ OR (2777=2777)#

Available Databases:

information_schema

innovation******* #Hiding dbnames for Yahoo privacy.

web****

Good, now I’ve a SQL Injection and I can read data as well,

Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!

1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/

2- I found the Administrator Password stored in the database and it was encoded as Base64

Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.

Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!

That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml

instead of being page_d03b042780c5071521366edc01e52d3d.php ?!

hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:

Screenshot from 2014-09-05 05:59:33Yea, now the reason is clear! it’s due to the “Content-Type” Header!

I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go

Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,

However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!