Headlines
Published On:Saturday, 19 October 2013
Posted by Unknown

WHMCS 5.2.8 SQLI Vulnerability (0day)



Hi friends,
Here again new 0day of WHMCS.
It's affect the Version 5.2.8 ( Current Version)

Again shit poor coding in new version of WHMCS .
Epicness not over . They make same mistake in

/includes/dbfunctions.php

We can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');

By using this Vulnerability we can also change the /configuration.php to whatever we want.

Vulnerability Deatils:

/includes/dbfunctions.php:

<?php
function select_query($table, $fields, $where, $orderby = '', $orderbyorder = '', $limit = '', $innerjoin = '') {
    global $CONFIG;
    global $query_count;
    global $mysql_errors;
    global $whmcsmysql;
    if (!$fields) {
    $fields = '*';
    }
    $query = 'SELECT ' . $fields . ' FROM ' . db_make_safe_field($table);
    if ($innerjoin) {
    $query .= ' INNER JOIN ' . db_escape_string($innerjoin);
    }
    if ($where) {
    if (is_array($where)) {
        $criteria = array();
        foreach ($where as $origkey => $value) {
        $key = db_make_safe_field($origkey);
        if (is_array($value)) {
            if ($key == 'default') {
            $key = '`default`';
            }
            if ($value['sqltype'] == 'LIKE') {
            $criteria[] = $key . ' LIKE \'%' . db_escape_string($value['value']) . '%\'';
            continue;
            }
            if ($value['sqltype'] == 'NEQ') {
            $criteria[] = $key . '!=\'' . db_escape_string($value['value']) . '\'';
            continue;
            }
            if ($value['sqltype'] == '>') {
            $criteria[] = $key . '>' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == '<') {
            $criteria[] = $key . '<' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == '<=') {
            $criteria[] = $origkey . '<=' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == '>=') {
            $criteria[] = $origkey . '>=' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == 'TABLEJOIN') {
            $criteria[] = $key . '=' . db_escape_string($value['value']);
            continue;
            }
            if ($value['sqltype'] == 'IN') {
            $criteria[] = $key . ' IN (\'' . implode('\',\'', db_escape_array($value['values'])) . '\')';
            continue;
            }
            continue;
        }
[...]
?>


So why wait for WHMCS to fix it :p

Just edit your previous 5.2.7 sqli 0day script or download new modified script from below:

http://www.mediafire.com/view/r6mrq71wxlwwv9t/whmcs2.py

or

https://www.dropbox.com/s/p2uta0bj41ya7gw/whmcs2.py


Now , Enjoy and stay Tunned with us.

Credit: Localhost.re

About the Author

Posted by Unknown on 00:22. Filed under , . You can follow any responses to this entry through the RSS 2.0. Feel free to leave a response

By Unknown on 00:22. Filed under , . Follow any responses to the RSS 2.0. Leave a response

0 comments for "WHMCS 5.2.8 SQLI Vulnerability (0day)"

   

Leave a reply

Blogumulus by Roy Tanck and Amanda Fazani

Pages

Powered by Blogger.

Labels

Labels

Blogger news

Labels

Blogger templates

Popular Posts