Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
http://www.exploit-db.com/exploits/32520
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
#Independent Pakistani Security Researcher
Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
11 comments:
Great!
Thanks for this! it looks like 1.5.6.4 might have addressed some of these issues by typecasting $product_id to int but I was wondering if you've done any tests on recent versions? it looks as if opencart\admin\controller\openbay\openbay.php hasn't been changed but I haven't looked very thoroughly yet.
The vulnerability resides in opencart module Open bay,developers has now release the patch.Where opencart did'nt update the stable version with the patch Openbay ,so you have to manually update the Open bay module..
You can find more here
https://github.com/opencart/opencart/issues/1312
Grateful for such superb blog yours...!
Opencart Website Development
ya your artical I very impressed.if you want to manage the open cart inventory; you can use extention here.
opencart.com/index.php?route=marketplace/extension/info&extension_id=27305&filter_search=green+inventory\
Good work…unique site and interesting too… keep it up…looking forward for more updates.Good luck to all of you and thanks so much for your hard-work.
Translation And Localization Companies, Closed Captioning Services in Bangalore,Transcription Companies in Bangalore
I am very happy when read this blog post because blog post written in good manner and write on good topic.
Thanks for sharing valuable information.
Web Design Company Bangalore,
Digital Marketing Company
I perceived the article to be merely worthwhile. Continue posting this tremendous work Professional Web design services are provided by W3BMINDS- Website designer in Lucknow.
Web development Company | Web design company
In 2010, most of us made some 100 stage hike plus procured pics sufferers whereby we tend to found themselves and also noted the item about some of our education chart. https://imgur.com/a/JaxmZAe https://imgur.com/signin?redirect=%2Fa%2FIy2Jyg7 https://imgur.com/a/PsZGmmw https://imgur.com/a/lBfrNIV https://imgur.com/a/sRfJ2ip https://imgur.com/a/zTTImGI https://imgur.com/a/1mWtQsZ
merkur casino【VIP】best 3d slot
Merkur casino【VIP】best 3d slot machine,best 3d slot online casino,nodeposit bonus 메리트 카지노 주소 and more.
Post a Comment