Yahoo SQL Injection to Remote Code Exection to Root Privilege

Yahoo SQL Injection to Remote Code Exection to Root Privilege

Yahoo! was recently impacted by a critical web application vulnerabilities which left website’s database and server vulnerable to hackers.

A cyber security expert and penetration tester, Ebrahim Hegazy a.k.a Zigoo from Egypt, has found a serious SQL injection vulnerability in Yahoo’s website that allows an attacker to remotely execute any commands on its server with Root Privileges.

According to Hegazy blog post, the SQLi vulnerability resides in a domain of Yahoo! website i.e. http://innovationjockeys.net/tictac_chk_req.php.

Any remote user can manipulate the input to the “f_id” parameter in the above URL, which could be exploited to extract database from the server.

Screenshot

While pentesting, he found username and password (encoded as Base64) of Yahoo!’ admin panel stored in the database. He decoded the Administrator Password and successfully Logged in to the Admin panel.

Furthermore, SQL injection flaw also facilitate the attacker to exploit Remote Code Execution on the server and an un-patched kernel allows Root access on the server.

Admin panel allows him to upload files on the server but after uploading a file with “phpinfo();” function as a content, he found that the uploaded file was named in “.xrds+xml” instead of being in “.php”

Screenshot-phpinfo

Bu in second attempt, he intercepted the file uploading request and renamed the “Content-Type” Header to “application/php”, which triggers the PHP code on the target server successfully i.e. Remote Code Execution.

Hegazy reported the flaw to Yahoo! Security Team on 5th September and interesting fact, Yahoo! has fixed the flaw within a day after he reported. But, strange part is that the purple company didn’t considered this vulnerability for a reward, as the vulnerable domain is out-of-scope of Yahoo!’s bug bounty program.

Screenshot-admin-1024x559

 

We will be happy to hear your thoughts

Leave a reply

Login/Register access is temporary disabled