[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : WHMCS Group Pay Plugin 1.5 (grouppay.php, hash param) - SQL Injection
# Published : 2013-04-08
# Author :
# Previous Title : Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities
# Next Title : nginx 0.6.x Arbitrary Code Execution NullByte Injection


#######################################################################

Tile:      WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web:    http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html

#######################################################################

============
Introduction
============

We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.

============
Exploits
============

- SQL Injection
grouppay.php?hash=%hash%' and '1'='1

============
Code SQL Injection
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;   
    }
}

============
Fix
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $hash = mysql_real_escape_string($hash);
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;   
    }
}

#######################################################################?