Here We Go again Po0r WHMCS new version again got exploited!
THIS TIME IT'S again the same mistake in
/includes/dbfunctions.php
WE Can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');
FROM THIS VULNERABILITY
WE CAN EVEN change /configuration.php whatever we want (PHP code included)
SO Re-edit Your Previous WHMCS.py exploit script and ENJOY!
Original Source :WHMCS 5.2.8 Vulnerability ? localhost
THIS TIME IT'S again the same mistake in
/includes/dbfunctions.php
WE Can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');
FROM THIS VULNERABILITY
WE CAN EVEN change /configuration.php whatever we want (PHP code included)
Kod:
$value) {
$key = db_make_safe_field($origkey);
if (is_array($value)) {
if ($key == 'default') {
$key = '`default`';
}
if ($value['sqltype'] == 'LIKE') {
$criteria[] = $key . ' LIKE \'%' . db_escape_string($value['value']) . '%\'';
continue;
}
if ($value['sqltype'] == 'NEQ') {
$criteria[] = $key . '!=\'' . db_escape_string($value['value']) . '\'';
continue;
}
if ($value['sqltype'] == '>') {
$criteria[] = $key . '>' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '=') {
$criteria[] = $origkey . '>=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'TABLEJOIN') {
$criteria[] = $key . '=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'IN') {
$criteria[] = $key . ' IN (\'' . implode('\',\'', db_escape_array($value['values'])) . '\')';
continue;
}
continue;
}
[...]
?>
SO Re-edit Your Previous WHMCS.py exploit script and ENJOY!
Original Source :WHMCS 5.2.8 Vulnerability ? localhost