Code: Select all
GET /index.php route=product%2Fcatalog%27+or+%28SELECT+1+FROM+%28SELECT+COUNT%28%2A%29%2C+CONCAT%28%28SELECT+%28SELECT+CONCAT%28GTID_SUBSET%28CAST%28SUBSTRING%28email%2C+1%2C+120%29+AS+CHAR%29%2C0x7e%29%29%29+FROM+%60pyrocreations2025%60.%60oc_customer_login%60+LIMIT+458171%2C+1%29%2C+FLOOR%28RAND%280%29+%2A+2%29%29+x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29+a%29+and+%271%27%3D%271
My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
It isn't necessarily executing the SQL though.nonnedelectari wrote: ↑Wed Mar 19, 2025 8:37 amI would be concerned with why your site executes sql injections in the first place.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
"hundreds of the following http queries", are peanuts.paulfeakins wrote: ↑Wed Mar 19, 2025 7:59 pmIt isn't necessarily executing the SQL though.nonnedelectari wrote: ↑Wed Mar 19, 2025 8:37 amI would be concerned with why your site executes sql injections in the first place.
Just hitting a site with a huge number of requests could take it down even if there's no vulnerability.
They were getting a 503 error, however I think this filter can be added to IIS to mitigatenonnedelectari wrote: ↑Wed Mar 19, 2025 8:37 amI wouldn't be concerned with "why this query caused high CPU useage" or the ip where it came from, I would be concerned with why your site executes sql injections in the first place.
Remember SQL filter like that can be bypassed.websiteworld wrote: ↑Wed Mar 19, 2025 10:33 pmThey were getting a 503 error, however I think this filter can be added to IIS to mitigate
They were getting a 503 error anyway, so the attempts fail. Any suggestions other than blocking the IP address to avoid the attempts from spiking the CPU?ADD Creative wrote: ↑Wed Mar 19, 2025 11:22 pmRemember SQL filter like that can be bypassed.websiteworld wrote: ↑Wed Mar 19, 2025 10:33 pmThey were getting a 503 error, however I think this filter can be added to IIS to mitigate
ADD Creative wrote: ↑Thu Mar 20, 2025 8:04 amCheck the SQL query in modification\catalog\controller\startup\seo_url.php at line 117. It's probably vulnerable injection looking at the error log.
Code: Select all
if(empty($url)){
$query = $this->db->query("SELECT * FROM " . DB_PREFIX . "seo_url WHERE `query` = '" . $data['route'] . "' AND language_id = '" . (int)$this->config->get('config_language_id') . "'");
if ($query->num_rows && $query->row['keyword']) {
$url .= '/' . $query->row['keyword'];
}
}We own/operate the server and don't have a host. Everything is set to off in Opencart, I can view the PHP error logs.ADD Creative wrote: ↑Thu Mar 20, 2025 8:04 am
1. In your PHP settings make sure display_errors is set to Off. Use phpinfo() to check. It should be off by default, but there are lots of rubbish hosts out there.
Web Development for service businesses serious about online growth
You really shouldn't be running a live web server on an ecommerce site if you don't know how to protect against this sort of thing.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
That code is vulnerable to SQL injection. As SohBH stated, "$data['route']" needs to be escaped. You will need to do this in the actual extension as if you refresh modification the vulnerability will return. You might want to contact the extension developer to report it.websiteworld wrote: ↑Thu Mar 20, 2025 8:37 amWe own/operate the server and don't have a host. Everything is set to off in Opencart, I can view the PHP error logs.Code: Select all
if(empty($url)){ $query = $this->db->query("SELECT * FROM " . DB_PREFIX . "seo_url WHERE `query` = '" . $data['route'] . "' AND language_id = '" . (int)$this->config->get('config_language_id') . "'"); if ($query->num_rows && $query->row['keyword']) { $url .= '/' . $query->row['keyword']; } }
That email is not a customer, so maybe they were trying to inject it into the database as a customer?
Code: Select all
if (empty($url)) {
$route = $this->db->escape($data['route']); // Escape the route input to prevent SQL injection
$language_id = (int)$this->config->get('config_language_id'); // Ensure language_id is cast to integer
$query = $this->db->query("SELECT * FROM " . DB_PREFIX . "seo_url WHERE `query` = '" . $route . "' AND language_id = '" . $language_id . "'");
if ($query->num_rows && $query->row['keyword']) {
$url .= '/' . $query->row['keyword'];
}
}
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature 
These kind of comments are useless. Nothing happened on the server, the attempt failed and was easily mitigated. As other helpful users pointed out, this is an issue with an add on or Journal Theme and the code needs revised! Thanks to those who pointed this out, will report the bug.paulfeakins wrote: ↑Thu Mar 20, 2025 8:28 pmYou really shouldn't be running a live web server on an ecommerce site if you don't know how to protect against this sort of thing.
"the attempt failed", well, a successful sql injection with your cpu going to 99%, I would say that is arguably a pretty successful effort.websiteworld wrote: ↑Fri Mar 21, 2025 11:06 pmThese kind of comments are useless. Nothing happened on the server, the attempt failed and was easily mitigated. As other helpful users pointed out, this is an issue with an add on or Journal Theme and the code needs revised! Thanks to those who pointed this out, will report the bug.paulfeakins wrote: ↑Thu Mar 20, 2025 8:28 pmYou really shouldn't be running a live web server on an ecommerce site if you don't know how to protect against this sort of thing.
Users browsing this forum: Amazon [Bot], nonnedelectari and 152 guests
