mcdruid.co.uk { web: development; }

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in multiple OpenCart modules named aridius_XYZ.

It appears that current "official" releases of Aridius modules are not vulnerable. However, it also appears to be common for "unofficial" versions of the extensions to be used.

At the time of discovery, at least one such unofficial version was available for free download from the OpenCart marketplace - this release was vulnerable.

The vulnerability is exploitable remotely without authentication.

I found multiple SQLi vulnerabilities in the Coinremitter OpenCart module.

The most serious of these allows an unauthenticated attacker to access any and all content stored in the database.

This potentially exposed credentials for a crypto currency wallet, as well as allowing full compromise of the site.

Details: https://gist.github.com/mcdruid/d4bdd8ffb8988bce9408c6bac40a15c5

This was assigned CVE-2025-1117

I found two vulnerabilities in the ShipRocket OpenCart module

One was an Access Bypass as a result of a logic error and type confusion in PHP.

This allows an unauthenticated attacker to access potentially sensitive information stored in the site's database.

Details: https://gist.github.com/mcdruid/0d1fdbba445587639ee5da66e7abfcc9

This was assigned CVE-2025-0580.

I found an Unrestricted File Upload in the BlogBotz OpenCart module.

This could allow an unauthenticated attacker to gain unauthorised access to the site / hosting infrastructure, for example via a PHP webshell or similar exploit.

Details: https://gist.github.com/mcdruid/28124198128022a1c2b4060f74d99cd6

This was assigned CVE-2025-0460

I found a SQLi vulnerability in the Dreamvention Live Ajax Search OpenCart module.

This allows an unauthenticated attacker to access any and all content stored in the database.

Via the SQLi vulnerability it's possible to compromise the site by exfiltrating admin session details / credentials.

Details: https://gist.github.com/mcdruid/d6a41cfebd9e10e63a8c698d3a8ad771

This was assigned CVE-2025-1116

I found a SQLi vulnerability in the TMD Custom Header Menu OpenCart module.

The CVSS score for this is lower than some of the other SQLi vulnerabilities I found in OpenCart modules, because the vulnerable code is only accessible by authenticated (admin) users.

The maintainers acknowledged the report and fixed this quickly.

Details: https://gist.github.com/mcdruid/ff4f29f4e7830e9e91988c7195d77039

This was assigned CVE-2025-0214

It's possible to use the metasploit console and meterpreter as a powerful Command and Control (C2) system using sessions and channels; here's how.

One-liner to start up a multi-handler in the metasploit console listening on a given port for incoming connections from a (staged) metasploit payload:

Something is overriding config in Drupal - you can see it by invoking drush with and without the flag to include overrides:

$ drush cget system.performance | grep -B1 preprocess
css:
  preprocess: false
--
js:
  preprocess: false

$ drush cget --include-overridden system.performance | grep -B1 preprocess
css:
  preprocess: true
--
js:
  preprocess: true

Perhaps we want to turn this config off, but these overrides won't let us.

Where are these config overrides coming from?

PHP's create_function() was:

DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0

As the docs say, its use is highly discouraged.

PHP 7 is no longer supported by the upstream developers, but it'll still be around for a while longer (because, for example, popular linux distributions provide support for years beyond the upstream End of Life).

A few years ago I found quite an interesting vulnerability in a contributed Drupal module called tablefield.

The module allows Drupal entities to hold tabular data, and the vulnerability was a combination of Insecure Deserialisation and a type of Insecure Direct Object Reference (IDOR).

The fix was released over 4 years ago so sufficient time has passed for me to share some more details.

The module has a hook_menu page callback (Drupal 7's equivalent of a route) that looks like this: