当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

WHMCS Group Pay模块"hash" SQL注入漏洞

信息来源: Tim (darksock@uhagr.org)      发表日期:2013-02-15 16:30:00

WHMCS是电子商务的客户端管理、支付及支持解决方案。GroupPay是WHMCS的ClanPay。

WHMCS Group Pay模块1.x版本没有正确过滤grouppay.php的"hash" GET参数值,在实现上存在安全漏洞,可导致任意SQL代码注入。

 

CVE-ID:2013-3536

受影响系统:

Grouppay Grouppay <= 1.5

 

测试方法:

警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#######################################################################

 

Tile:      WHMCS grouppay plugin SQL Injection <= 1.5

Author: HJauditing Employee Tim

E-mail: Tim@HJauditing.com

Web:    http://hjauditing.com/

Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html

 

#######################################################################

 

============

Introduction

============

 

We have found a SQL injection inside the group pay plugin for WHCMS.

A lot of game hosting companies are using this plugin.

SQL Injection is in the function gp_LoadUserFromHash.

 

============

Exploits

============

 

- SQL Injection

grouppay.php?hash=%hash%\' and \'1\'=\'1

 

============

Code SQL Injection

============

 

/modules/addons/group_pay/functions_hash.php

function gp_LoadUserFromHash($hash) {

    //Kill the Dashes

    $hash = str_replace ( "-", "", $hash );

    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = \'$hash\'" );

    if($result){

        $row = mysql_fetch_row ( $result );

        return $row [0];

    }else{

        return false;  

    }

}

 

============

Fix

============

 

/modules/addons/group_pay/functions_hash.php

function gp_LoadUserFromHash($hash) {

    //Kill the Dashes

    $hash = str_replace ( "-", "", $hash );

    $hash = mysql_real_escape_string($hash);

    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = \'$hash\'" );

    if($result){

        $row = mysql_fetch_row ( $result );

        return $row [0];

    }else{

        return false;  

    }

}

 

#######################################################################&#65279;

解决办法:

厂商补丁:

Grouppay

--------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html

参考信息:

http://secunia.com/advisories/52804