lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5380C507.9070400@gmail.com>
Date: Sun, 25 May 2014 02:12:55 +1000
From: Joshua Rogers <megamansec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] SQL Injection on eBay subdomain




    Title: eBay Union SQL Injection



Whilst looking for some bugs in ebay, I came across the domain 
http://3.ebay.com.au/. It appears to be a domain for phone users on the 
old "Three" phone carrier/network, but I'm unsure. Three was bought out 
by Vodaphone awhile ago.


The website is the exact same as http://imode.ebay.de/, 
http://imode.ebay.fr/, etc.



On the third tab of the page, there's a link to the 'Categories' 
section. -- If anybody has every used eBay before, they would understand 
what this is; a list of categories as to where you can view items to 
buy.(Or in this case, go into a sub-category.)


Instinctively, I saw that there were a few $_GET parameters being used, 
so I just put a simple apostrophe into the end of the first parameter, 
"emv_CatParent".

To my amazement, it came back with a half-completed page. -- Pretty much 
the poster-child of a blind SQL Injection.


I had trouble actually exploring this vulnerability, as I came to figure 
out that Microsoft SQL Server was being used for the backend, not a 
unix-based one. This created problems.


Due to my lack of MSDB knowledge, I had to load the website into sqlmap 
and do everything through there.


First, I scanned the parameter to see if my assumption was right.

Viola..

[INFO] GET parameter 'emv_CatParent' is 'Generic UNION query (NULL) - 1 
to 10 columns' injectable


Not only that, but;

[01:34:38] [INFO] GET parameter 'emv_CatParent' seems to be 'Microsoft 
SQL Server/Sybase stacked queries' injectable



Which means possible file write/read. - I didn't look further into this 
though.



I explored column names, but no further.

Here's some screenshots:

(Found here: 
http://blog.internot.info/2014/05/sql-injection-on-ebaycomau-subdomain.html)



==Timeline==


[*] Date of discovery: 19/05/2014

[*] Date of report to eBay: 19/05/2014

[*] Date of patch/deployment: 24/05/2014

[*] Public Disclosure: 25/05/2014



==Credits==


Joshua Rogers - www.internot.info <http://www.internot.info> 
(@MegaManSec <https://www.twitter.com/MegaManSec>)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ