header-logo
Suggest Exploit
vendor:
WHMCS grouppay plugin
by:
HJauditing Employee Tim
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: WHMCS grouppay plugin
Affected Version From: 1.5
Affected Version To: 1.5
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

WHMCS grouppay plugin SQL Injection <= 1.5

We have found a SQL injection inside the group pay plugin for WHCMS. A lot of game hosting companies are using this plugin. SQL Injection is in the function gp_LoadUserFromHash. Exploits can be done by using the grouppay.php?hash=%hash%' and '1'='1

Mitigation:

The fix for this vulnerability is to use mysql_real_escape_string() to sanitize the user input before passing it to the query.
Source

Exploit-DB raw data:

#######################################################################

Tile:      WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web:    http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html

#######################################################################

============
Introduction
============

We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.

============
Exploits
============

- SQL Injection
grouppay.php?hash=%hash%' and '1'='1

============
Code SQL Injection
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;   
    }
}

============
Fix
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $hash = mysql_real_escape_string($hash);
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;   
    }
}

#######################################################################

Navigation

Suggest Exploit

Services By CQR