b3hr0uz Posted April 26, 2014 Report Posted April 26, 2014 Hello,This write-up will cover how I bypassed one of Yahoo’s log-in pages with a sample trick. Even though I had decided to not write anything about this report (since it was out of scope), but a few people wanted to see the trick and I thought It would be a great thing to share with everyone else. (So please don’t bother to mention it’s out of scope and carry on with the post)Let’s have a look at what caught my attention in the first place that led on to the attack:Which took me to the following URL:However, by clicking on any of the following links I would be redirected to a login page that kind of looks like this:First step I took was to run curl and see if I am able to see the content of the files on my own server so:curl http://tw.urcosme.fashion.yahoo.net/justbeauty/Vol/22/edit > u2.htmlNow that I know I am able to see the content I decided to switch to firefox and fire-up the good ol’ NoRedirect:WE ARE IN. Here are a couple things I was able to do:Add new content:Edit:and I was also able to upload a file which you will be able to see here: I was able to get the full path and MySQL credentials by messing around with POST. There was also a possible SQLi via POST in the following admin panel which I wasn’t able to exploit due to the fact that I found the bug after the initial report.Timeline:2014/04/18 – Reported2014/04/18 – Triaged2014/04/18 – Requested more information2014/04/21 – Closed Quote
