OpenCart <= 1.5.6.1 SQL Injection

2014.03.26
Credit: Saadat Ullah
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection # Date : 2014/3/26 # Exploit Author : Saadat Ullah ? saadi_linux@rocketmail.com # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web : www.opencart.com # Author HomePage : http://security-geeks.blogspot.com/ # Tested on: Server : Apache/2.2.15 PHP/5.3.3 #Opencart suffers from multipe SQL injection in ebay.php the bug is more about privilege escalation as attacker may need openbay module access . Poc Poorly coded file full of SQLi opencart/system/library/ebay.php In file opencart/system/library/ebay.php product_id is used in a SQL query without being sanitize. public function getEbayItemId($product_id) { $this->log('getEbayItemId() - Product ID: '.$product_id); $qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1"); .............. Function is called on many locations and paramter is passed without santize. In opencart\admin\controller\openbay\openbay.php public function editLoad() { ... $item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']); .............. Where $this->request->get['product_id'] comming from GET field. Similarly More public function isEbayOrder($id) { ... $qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1"); In opencart\admin\controller\extension\openbay.php public function ajaxOrderInfo() ... if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){ .............. More public function getProductStockLevel($productId, $sku = '') { ... $qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1"); .............. ebay.php has many more.. User should have openbay module access http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1' #Independent Pakistani Security Researcher


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top