Jump to content
b3hr0uz

Paypal-Makerting.com XSS, RCE, Full path and information disclosure

By b3hr0uz, in Bug Bounty

Recommended Posts

b3hr0uz Newbie

b3hr0uz

Posted
Posted

Source: PayPal Marketing Remote Code Execution, Information Disclosure and XSS | NahamSec - Behrouz Sadeghipour's Personal Website

Hello everyone,

Today I will be writing about my experience with PayPal’s Bug Bounty Program and how I was able to discover a Remote Code Execution on one of their branded websites.

While audition PayPal-Marketing.comfor a few XSS vulnerabilities I came across a strange URL:

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getPartnerBasic&list=34158729+24555431948+28165489

Which displayed the content of the 3 IDs provided in the link given. So I figured I may be able to execute SQL commands and hope for RCE. However that wasn’t the case. After a few tries I realized that my SQL Injection is irritating the getPartnerBasic function by producing errors disclosing the full path of the website and mentioning the getPartnerBasic() function. So I decided to replace getPartnerBasic with phpinfo and see if that would do something (I doubt it!). However the following process resulted in:

F3qPiwI.png

and I immediately reported the vulnerability to PayPal and received the following email:

Hey, Were you actually able to run any other commands or just get the version and PHPinfo? Thanks, PayPal Security Team

To make sure this isn’t lowered from and RCE to a information disclosure I replied to the PayPal Security Team with the following links which provided them with more information other than phpinfo

PID

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmypid&list=(34158729)

GID

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmygid&list=(34158729)

UID

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmyuid&list=34158729

Paypal was extremely fast and patched the following vulnerability under 24 hours. Here’s the PoC Video:

Cross-Site Scripting:

I was also able to report an XSS in the search module of the PayPal-Marketing partner’s page by searching for a IMG tag injected with XSS.

Vulnerable URL:

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...