SQL Injection flaw on Yahoo escalated to Remote Code Execution

A critical web application vulnerability 'SQL injection' impact one of the domains of Yahoo Inc., which leads the attacker to gain the database and further exploit it to Remote Code Execution.

A Egyptian security researcher Ebrahim Hegazy have found a critical SQL injection vulnerability in Yahoo's domain that allows an attacker to remotely execute any commands on its server with Root Privileges.

Hegazy explained on the blogpost that started his analysis from the domain: http://innovationjockeys.yahoo.net/, in particular while he was examining the HTTP POST requests he noticed something that could be exploited for SQL Injection attack. On the above URL he found parameter “f_id” was vulnerable to SQL injection, and attacker can easily manipulate the parameter to which can be exploited to extract database from the server.

After the successful injecting the query he able to read the Admin username and password from admin table of the database. The password was encoded with Base64 and can easily decode.  After the decode of the password, he successfully logged into the admin panel of Yahoo.

With that he further continue to exploit the vulnerability to Remote Code Execution.  Admin panel allows him to upload files on the server but after uploading a file with “phpinfo();” function as a content, he found that the uploaded file was named in “.xrds+xml” instead of being in “.php”
He fond that the issue was in the “Content-Type” Header!, so in second attempt he make some edit on content header and rename the “Content-Type” Header to be “application/php”, and finally this works, which allow to execute the PHP code on the target server successfully i.e. Remote Code Execution.