OpenCart 1.5.6.1 – ‘openbay’ Multiple SQL Injections

• Exploit Database
• 39 阅读

• 作者： Saadi Siddiqui
  日期： 2014-03-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32520/

• # Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
  # Date: 2014/3/26
  # Exploit Author: Saadat Ullah ， saadi_linux@rocketmail.com
  # Software Link : http://www.opencart.com/index.php?route=download/download
  : https://github.com/opencart
  # Software web: www.opencart.com
  # Author HomePage : http://security-geeks.blogspot.com/
  # Tested on: Server : Apache/2.2.15 PHP/5.3.3
  
  #Opencart suffers from multipe SQL injection in ebay.php the bug is more about 
  privilege escalation as attacker may need openbay module access .
  
  Poc
  Poorly coded file full of SQLi opencart/system/library/ebay.php
  In file opencart/system/library/ebay.php
  product_id is used in a SQL query without being sanitize.
  
  public function getEbayItemId($product_id) {
  		$this->log('getEbayItemId() - Product ID: '.$product_id);
  
  		$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
  ..............
  Function is called on many locations and paramter is passed without santize.
  In opencart\admin\controller\openbay\openbay.php
  public function editLoad() {
  		...
  		$item_id= $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
  ..............
  Where $this->request->get['product_id'] comming from GET field.
  Similarly More
  
  public function isEbayOrder($id) {
  		...
  		$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
  
  In opencart\admin\controller\extension\openbay.php
  		public function ajaxOrderInfo()
  		...
  		if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
  ..............
  More
  public function getProductStockLevel($productId, $sku = '') {
  		...
  		$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
  ..............
  ebay.php has many more..
  User should have openbay module access
  http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
  
  #Independent Pakistani Security Researcher