61 lines
No EOL
1.7 KiB
Text
61 lines
No EOL
1.7 KiB
Text
#######################################################################
|
||
|
||
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
|
||
Author: HJauditing Employee Tim
|
||
E-mail: Tim@HJauditing.com
|
||
Web: http://hjauditing.com/
|
||
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
|
||
|
||
#######################################################################
|
||
|
||
============
|
||
Introduction
|
||
============
|
||
|
||
We have found a SQL injection inside the group pay plugin for WHCMS.
|
||
A lot of game hosting companies are using this plugin.
|
||
SQL Injection is in the function gp_LoadUserFromHash.
|
||
|
||
============
|
||
Exploits
|
||
============
|
||
|
||
- SQL Injection
|
||
grouppay.php?hash=%hash%' and '1'='1
|
||
|
||
============
|
||
Code SQL Injection
|
||
============
|
||
|
||
/modules/addons/group_pay/functions_hash.php
|
||
function gp_LoadUserFromHash($hash) {
|
||
//Kill the Dashes
|
||
$hash = str_replace ( "-", "", $hash );
|
||
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
|
||
if($result){
|
||
$row = mysql_fetch_row ( $result );
|
||
return $row [0];
|
||
}else{
|
||
return false;
|
||
}
|
||
}
|
||
|
||
============
|
||
Fix
|
||
============
|
||
|
||
/modules/addons/group_pay/functions_hash.php
|
||
function gp_LoadUserFromHash($hash) {
|
||
//Kill the Dashes
|
||
$hash = str_replace ( "-", "", $hash );
|
||
$hash = mysql_real_escape_string($hash);
|
||
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
|
||
if($result){
|
||
$row = mysql_fetch_row ( $result );
|
||
return $row [0];
|
||
}else{
|
||
return false;
|
||
}
|
||
}
|
||
|
||
####################################################################### |