OpenCart FW1, FW2, RCE1 and RCE2

[mcdruid]

No description provided.

[mcdruid]

FW2 added for OpenCart 3

[mcdruid]

Added RCE2 which works for 4.1.0.0+

[whattheslime]

Hello,

First of all, thank you again for all your contributions to phpggc.

We’re glad to see you so active on the project.

However, I have a few questions/comments regarding this merge request:

FW1 and RCE1

During my tests, I wasn’t able to trigger this payload with a fresh installation of OpenCart across the different versions mentioned.

In fact, it seems that the Opencart\System\Library\DB\MySQLi class, which is used by both gadgets, isn’t loaded automatically.

Could you provide more details about your attack scenarios using these gadgets?

FW2

The gadget has been tested and works as expected. However, you mentioned in the comments that a class change occurs starting from version 3.0.3.4.

I believe it would be more relevant to have two separate chains in this kind of situation:

• OpenCart/FW2 for versions 3.0.0.0 to 3.0.3.4, using the \Twig_Cache_Filesystem class
• OpenCart/FW3 for versions 3.0.3.5 to 3.0.4.0+ using the \Twig\Cache\FilesystemCache class

I'd be interested in hearing your opinion on this.

RCE2

The gadget has been tested and can be merged without any issue.

---

Thanks again for your contribution.

[mcdruid]

Thanks for the review; it'd be fine to split the FW into separate gadget chains; I wasn't sure how useful the one for really old versions would be.. but sometimes people don't update! I may not be able to do that myself for a little while, but am happy if anyone else wants to do it in the meantime.

As for the autoloading of the db driver classes, I'm not sure why that wouldn't be working. Are you using a mysql-type database when you install?

https://github.com/opencart/opencart/blob/master/upload/system/framework.php#L146

...seems to confirm that the DB classes should autoload successfully (regardless of which class has been configured to be used for the db connection AFAICS).

I've never had a problem with that, and I've seen various reports of researchers using gadget chains based on this destructor. I've mostly tested with 4.0.2.3

[mcdruid]

The autoloading of classes in OpenCart seems to be a but fiddly when it comes to case-sensitivity sometimes.

As mentioned, I've never had a problem with the MySQLi class but doing some simple tests, it looks like only the lowercase variation of the pgsql class works (despite the source declaring the class as PgSQL):

foreach (['MySQLi', 'PDO', 'PgSQL'] as $db) {
  $debug[$db] = class_exists("\Opencart\System\Library\DB\\$db");
  $debug[strtolower($db)] = class_exists('\Opencart\System\Library\DB\\' . strtolower($db));
}

var_export($debug);

array (
  'MySQLi' => true,
  'mysqli' => true,
  'PDO' => true,
  'pdo' => true,
  'PgSQL' => false,
  'pgsql' => true,
)

So maybe that's what's causing issues in your testing @whattheslime - can you try lowercasing mysqli ?

(I am testing in ddev with a debian 12 web container, FWIW)

[whattheslime]

Hi,

Thank you for your quick response.

After testing with the lowercase class name \Opencart\System\Library\DB\mysqli, I can confirm that both gadget chains (FW1 and RCE) function as expected.

I’ll go ahead and merge your changes, then implement the modifications we discussed earlier.

Thanks again for your help!