Summary

A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities:

• SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create any widget type without permission checks.

• PDO Multi-Statement Queries -- PHP PDO MySQL enables CLIENT_MULTI_STATEMENTS by default. Neither Yii2 nor Craft CMS disables it. This allows stacking an INSERT statement after the injected SELECT , writing a maliciously serialized PHP object into the queue table.

• Unrestricted unserialize() -- The yii2-queue PhpSerializer calls unserialize() with no allowed_classes restriction on every queue job. When the queue consumer processes the injected job, it instantiates the attacker-controlled object.

• Gadget Chain (FileCookieJar) -- GuzzleHttp\Cookie\FileCookieJar (a standard Guzzle dependency) has an unguarded __destruct() method that calls file_put_contents(). The attacker’s serialized payload writes a PHP webshell to the server’s webroot. PHP tags survive json_encode() because Guzzle uses options=0 (no JSON_HEX_TAG).

The complete chain requires 3 HTTP requests and achieves arbitrary command execution as the PHP process user. Queue processing is triggered via GET /actions/queue/run, an endpoint that requires no authentication ($allowAnonymous = ['run']).

RCE Exploitation Steps

• Authenticate as any control panel user
• POST to /admin/actions/dashboard/create-widget with stacked SQL injection:
• settings[type] contains the stacked INSERT with the serialized gadget chain
• Response: HTTP 500 (expected -- INSERT already committed)
• Trigger queue processing: GET /actions/queue/run
• Queue consumer deserializes the gadget chain
• FileCookieJar::__destruct() writes webshell to webroot
• Access the webshell: GET /poc_rce.php?c=id
• Response: uid=1000(home) gid=1000(home) groups=1000(home)

References

6d2d24b