Jump to content
b3hr0uz

Paypal-Makerting.com XSS, RCE, Full path and information disclosure

Recommended Posts

Source: PayPal Marketing Remote Code Execution, Information Disclosure and XSS | NahamSec - Behrouz Sadeghipour's Personal Website

Hello everyone,

Today I will be writing about my experience with PayPal’s Bug Bounty Program and how I was able to discover a Remote Code Execution on one of their branded websites.

While audition PayPal-Marketing.comfor a few XSS vulnerabilities I came across a strange URL:

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getPartnerBasic&list=34158729+24555431948+28165489

Which displayed the content of the 3 IDs provided in the link given. So I figured I may be able to execute SQL commands and hope for RCE. However that wasn’t the case. After a few tries I realized that my SQL Injection is irritating the getPartnerBasic function by producing errors disclosing the full path of the website and mentioning the getPartnerBasic() function. So I decided to replace getPartnerBasic with phpinfo and see if that would do something (I doubt it!). However the following process resulted in:

F3qPiwI.png

and I immediately reported the vulnerability to PayPal and received the following email:

Hey, Were you actually able to run any other commands or just get the version and PHPinfo? Thanks, PayPal Security Team

To make sure this isn’t lowered from and RCE to a information disclosure I replied to the PayPal Security Team with the following links which provided them with more information other than phpinfo

PID

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmypid&list=(34158729)

GID

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmygid&list=(34158729)

UID

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/dirmob_db.php?action=getmyuid&list=34158729

Paypal was extremely fast and patched the following vulnerability under 24 hours. Here’s the PoC Video:

Cross-Site Scripting:

I was also able to report an XSS in the search module of the PayPal-Marketing partner’s page by searching for a IMG tag injected with XSS.

Vulnerable URL:

https://www.paypal-marketing.com/paypal/html/hosted/emarketing/partner/directory/v2/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...