扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
####################################################################### Tile:WHMCS grouppay plugin SQL Injection <= 1.5 Author: HJauditing Employee Tim E-mail: Tim@HJauditing.com Web:http://hjauditing.com/ Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html ####################################################################### ============ Introduction ============ We have found a SQL injection inside the group pay plugin for WHCMS. A lot of game hosting companies are using this plugin. SQL Injection is in the function gp_LoadUserFromHash. ============ Exploits ============ - SQL Injection grouppay.php?hash=%hash%' and '1'='1 ============ Code SQL Injection ============ /modules/addons/group_pay/functions_hash.php function gp_LoadUserFromHash($hash) { //Kill the Dashes $hash = str_replace ( "-", "", $hash ); $result = mysql_query ( "SELECT <code>id</code> from tblclients where md5(CONCAT(id,email)) = '$hash'" ); if($result){ $row = mysql_fetch_row ( $result ); return $row [0]; }else{ return false; } } ============ Fix ============ /modules/addons/group_pay/functions_hash.php function gp_LoadUserFromHash($hash) { //Kill the Dashes $hash = str_replace ( "-", "", $hash ); $hash = mysql_real_escape_string($hash); $result = mysql_query ( "SELECT <code>id</code> from tblclients where md5(CONCAT(id,email)) = '$hash'" ); if($result){ $row = mysql_fetch_row ( $result ); return $row [0]; }else{ return false; } } ####################################################################### |
体验盒子
