Wednesday, March 12, 2014

EL Injection in Paypal and Dollars in My Wallet


Hi Folks !

Finally, I am here writing First Post on my Blog. This is a Short Tale about a bug I found in one of Paypal Website. The bug was EL Injection in Zong (A Paypal Product)

Before I proceed to my Bug, Let me First Introduce you with Expression Language (EL).

Expression Language (EL) is a mechanism which enables webpages to communicate with managing applications, system objects, devices and services. EL allows page authors to use Simple Expressions to access data from JavaBeans. Administrator can use EL to perform various tasks Such as Read Data, Write Data, Perform Arithmetic Operations etc. EL is Truly written in Java and is used by both JavaServer Faces Technology and JavaServer Pages (JSP) Technology. 

Now Comes What is Expression Language (EL) Injection ?

Most of You would have already Guessed what all can be done with EL Injection. The scope of this Vulnerability depends on the Targeted Application. Exploiting this Vulnerability can result in an XSS or Remote Command Execution

So here is How I found the Bug in Zong

Zong was running an Outdated Version of Clearspace (Now known as Jive Software) on One of its Sub-domain. Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug.

I Performed some Arithmetic Operations on Zong and All of those Worked !
There were Two Input Forms on that Application and Both of those were Vulnerable. One was login!input.jspa and another one was emailPasswordToken!input.jspa and the Commands were executed via 2 different Parameters. 

The Attack was Crafted as login!input.jspa?unauth=${custom command here}. It was same for emailPasswordToken!input.jspa as well.


                                                                    Proof Of Concept 

I made a GET Request on Server with https://clearspace.zong.com/login!input.jspa?unauth=${100*3} and the Command was Successfully executed on Client Side. 

I Tried it again But with a new Query this time ;)

Proof Of Concept (2)

At that time I never Thought that I would ever Post about it so I don't have much of POCs to show but That time these Couple of Screenshots were enough to Qualify the Bug. The Bug was EL Injection, a Kind of Remote Command Execution that allowed me to Execute Commands on Remote Server.

Few Days Later, I Got a mail "Paypal Inc Sent You $$$$" :D
                         
                                                      And I Was Like... ($_$)



Finally, I Would like to Thank Sir Stefano Di Paola, Who Discovered this Interesting Vulnerability in 2011. Please Check his Official Writeup for More Details. I Hope You all Like it. Thanks For Giving me a Bit of your Time :)

Reactions:

29 comments:

  1. Congrates..!! its Gr8 you found EL injection.. Good luck
    If you want to share this article with us.. then we can post on our Blog.
    We always welcome Security researchers and respect them..
    http://blog.hackersonlineclub.com
    Mail us on: hackersonlineclub.com@gmail.com

    ReplyDelete
  2. Good Find! Well deserved money :-)

    ReplyDelete
  3. This is a pretty nice finding. Keep innovating !!

    ReplyDelete
    Replies
    1. Thanks Buddy :) Nice to hear that you Liked it !

      Delete
  4. Wow Buddy...
    You are doing awesome in your way...
    Keep it up...

    ReplyDelete
  5. you looking for job ? if so let me know we hire you for CMM Level5 company

    ReplyDelete
    Replies
    1. Hi !
      Send me a mail at piyushmalik02@gmail.com

      Delete
  6. wow..proud of you..keep going..:)

    ReplyDelete
  7. Replies
    1. Thanks Akshay :)) Nice to Hear That ! :D

      Delete
  8. Replies
    1. Sorry Dhawal, That is a Hidden Secret :D

      Delete
  9. Nice findings ! :D Congrats (y)

    ReplyDelete
    Replies
    1. Thanks Mikko ;) Hope You Liked It ! :D

      Delete
  10. Congrats dear all freanch german to me still gr8 job bro mk ur father proud of u let ppl recognize ur father frm ur name..thats d best feelng a father can have...

    ReplyDelete
  11. Thank You Di ^_^

    Yes, I Will Make My Dad Feel Proud of Me :)

    ReplyDelete