How to pass the command injection vulnerability fix Yahoo subsidiary production servers-vulnerability warning-the black bar safety net

One, Foreword
Time to get back to 5 May 20, the night before that, I spent several days time to study the Yahoo Messenger app, still can’t figure out how it works, but annoying headache and neck pain and looking for me. So I decided to go for a walk, find a new target. Then I noticed a very interesting thing, and that is named Sean one of the researchers participating in the Yahoo Bug reward program, because the test behavior beyond Yahoo’s permit boundaries and is blacklisted.
Back inside later, I and friends Thomas（dawgyg do a lot of exchanges, we agreed that you can then look at Sean being blacklisted before the test of that application.
Second, step 1: reconnaissance step on the point
Sean’s goal is to be the Yahoo acquisition of some subsidiaries, in which he wrote that paper, these companies the use of domain name comprising:
*. mediagroupone.de
*. snacktv.de
*. vertical-network.de
*. vertical-n.de
*. fabalista.com
Although the above there are quite a few domain names, but in Sean’s report, is aimed primarily at SnackTV content management system. Me and Thomas decided to repeat the Sean method used, and to SnackTV the www site as the goal, the reason for doing this is that Thomas has in this site took some time, but also to find someXSScomfortably vulnerability. This site with other sites are different, the reason there are two points: （1）This is a German company, （2）This is for video producers ready to the developer’s website, not as an ordinary Yahoo user.
! [](/Article/UploadPic/2017-6/20176618118591. png? www. myhack58. com)
The figure above is SnackTV the search page. Obviously this is a video site, but the user must be registered through the Administrator Manual review, so we cannot directly visit the website of the upload panel.
Due to Thomas being busy with automated scanning this website, I took some time to develop with this application feel that certain things abnormal reaction of the base is usually to be able to understand their normal reaction is.
Three, step two: scan
In the mining the application of the vulnerability, me and Thomas are doing is running with this particular application related to the background tasks. I used the“subbrute”and“dirsearch”both passive identification script, object（1）Tap directly vulnerability and（2）to detect the possible presence of vulnerabilities. Understand how to use these tools can help penetration testers to tap vulnerability.
It took a long time to run these tools, we harvest a lot of output, but our help is not large. These output information in the most is the standard error message, such as access to“. htpasswd”occurs when an HTTP 403 error, the“admin”page can not be accessed directly be redirected to the login page. However, the use of“dirsearch”script after a lot of a list of keywords after the match, and ultimately we did harvest a vulnerable point.
There is a problem of a file named“getImg.php”the file is located in“imged”directory http://snacktv.de/imged/getImg.php in. After some search, we found through Google search“site:snacktv.de filetype:php”can the public access this file. This step is very important, because the presence of the vulnerability of this file need a GET parameter to return content. We may need to spend weeks of time to brute force or guess the correct GET parameters, I guess no one is willing to do so, because these parameters usually requires with the addition of a parameter fit to perform the correct query request.
GET parameters of a typical logic process flow is as follows:
1, access“http://example.com/supersecretdevblog.php”: return HTTP 500 Internal Server error, indicating that we must provide a parameter to see the content.
2, the access“http://example.com/supersecretdevblog.php?page=index&post=1”: returns HTTP 200 response, indicating that the parameters are correct, it is possible to return sensitive information.
So far, we know information including:
1, The“getImage.php”files require multiple HTTP GET parameters, if we by“imgurl”parameter to provide an image of the link address, then this file will be based on this address automatically download a modified picture.
2, According to Google search exposure parameters, we know the file with ImageMagick crop function related.
Fourth, step 3: vulnerability access and logic escape limited
When digging out these information, we think the first point is the“ImageTragick”Vulnerability, CVE-2016-3714, we decided to send a few test loads to try.
Me and Thomas spent a couple of hours of time, the structure contains a vulnerability load the image file. Exploit the principle is the use of the hotspot image file that contains the load image files, the server use the “ImageMagick”command-line tool to process this image file, because this tool filter is not strict, resulting in the process in the presence of arbitrary command execution vulnerability. However our load is not a success, which makes us a bit discouraged。 We doubt whether they have for this load file the patch.
We sent to the server, load the sample as shown below. Picture address using our private domain name, it will load uploaded to the server, we pass the“imageurl”parameter to get the server load on the pictures. Our goal is to make the server execute an arbitrary command. Please note that where“xlink:href”is pointing to the picture address.
In addition to the server in the processed file belongs URL address on a bit of a strange outside, everything is normal. We send to the server some random text file, the server returns the data always associated with the previous call of the same. We carefully read the“ImageMagick”relevant information, combined with the vulnerability to disclose the details, we find that the server does not seem to exist for this vulnerability, it is possible the server does not use ImageMagick to. We defer the attack this file, decided to look at the site whether there is other vulnerabilities.
At approximately 3:30 AM, we found several stored cross site scripting vulnerability, HTTP 401 response to injection vulnerabilities as well as common mismanagement issues, but these are not critical issues. When you participate in bug reward program, especially for a sub-company for test, these issues of bonus typically will be substantially diminished, because the impact of these problems is very low. In some people’s eyes, get discount bonus can still accept, but for others it’s just a waste of time. To be acquired subsidiary is the target of the unique benefits that many people in these target will relax security vigilance.
Back to the URL address, I get a little irritable, began to suspect the server when processing the picture files of the specific implementation. If Yahoo is not the picture as a whole to deal with, instead of using the URL is injected into the XML in the“image xlink:href”in the processing way, this way with vulnerability PoC in a similar situation. Then I need to try what kind of load in order to verify my guess?
I’m in the browser’s address attach an additional double quote, and then saw some interesting output as follows:

[1] [2] next