I am a nineteen year old security researcher, who is heavily involved in bug bounties and computer programming. While browsing the European website of Patagonia (eu.patagonia.com) in fall of 2016, I noticed a GET parameter (?k=) behaving oddly. So I entered a standard ' mark to see how it would respond. Here is what I saw:
After playing with it for awhile more, I was able to finally craft a working payload! Here it is:
' and substring('a',1,1) like 'a' and 'A' like 'A
returns true (displays an image of a sweater):
' and substring('b',1,1) like 'a' and 'A' like 'A
returns false and displays no image:
Now
we can use this to retrieve information like the name of the database.
To find the second character of the string, simply increment the first 1 to a 2 and so on for the other characters.
Result: www_patagonia_com
This also effected the Japanese site!!
After discovering this flaw, I immediately reached out to Patagonia, who patched the bug both quickly and effectively. Finding
vulnerabilities and helping American companies is my passion, and I
plan on making a career of it one day. Let me know what your
thoughts/opinions are in the comments! Thanks :)
Jake Murphy
jakedmurphy1@gmail.com
jakedmurphy1@gmail.com