WHMCS Grouppay plugin versions 1.5 and below suffer from a remote SQL injection vulnerability.
b304a2f0298f4ebff558dc745a1da74d9a5e6cedcfe956f2fc1f606759a2b27f#######################################################################
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web: http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
#######################################################################
============
Introduction
============
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.
============
Exploits
============
- SQL Injection
grouppay.php?hash=%hash%' and '1'='1
============
Code SQL Injection
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
============
Fix
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$hash = mysql_real_escape_string($hash);
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
#######################################################################
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed