Just Another Security/Programming Blog: SQL Injection on eBay.com.au subdomain / eBay.de, eBay.fr subdomains

Sunday, 25 May 2014

SQL Injection on eBay.com.au subdomain / eBay.de, eBay.fr subdomains

eBay



Whilst looking for some bugs in ebay.com and ebay.com.au, I came across the domain http://3.ebay.com.au/. It appears to be a domain for phone users on the old "Three" phone carrier/network, but I'm unsure. Three was bought out by Vodafone awhile ago.

The website is the exact same as http://imode.ebay.de/, http://imode.ebay.fr/, etc.
The database itself was most likely part of http:// ebay.com/, too.


On the third tab of the page, there's a link to the 'Categories' section. -- If anybody has ever used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)

Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, "emv_CatParent".
To my amazement, it came back with a half-completed page. -- Pretty much the poster-child of a blind SQL Injection.



I had trouble actually exploring this vulnerability, as I came to figure out that Microsoft SQL Server was being used for the backend, not a unix-based one. This created problems.

Due to my lack of MSDB knowledge, I had to load the website into sqlmap and do everything through there.

First, I scanned the parameter to see if my assumption was right.
Viola..
[INFO] GET parameter 'emv_CatParent' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable

Not only that, but;
[01:34:38] [INFO] GET parameter 'emv_CatParent' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable


Which means possible file write/read. - I didn't look further into this though.


I explored column names, but no further.
Here's some screenshots:



'ebayDB' database.


Databases

Tables available in the 'ebayDB' database.

List of columns from the 'payment_old' table.

No hash for Admin user?(sa).. Uhm.. YOLO I guess.






And finally..
:)






==Timeline==

[*] Date of discovery: 19/05/2014
[*] Date of report to eBay: 19/05/2014
[*] Date of patch/deployment: 24/05/2014
[*] Public Disclosure: 25/05/2014


==Credits==

Joshua Rogers - www.internot.info (@MegaManSec)

3 comments:

  1. Ho...ly... crap.
    Awesome that they actually got right on it, and actually thanked you for it.
    I applaud you, good sir, for the work you've done. :D

    ReplyDelete
  2. Do you get some bounty from ebay for this vuln.?

    ReplyDelete

Note: only a member of this blog may post a comment.