首页 -> 安全研究
安全研究
安全漏洞
WHMCS Group Pay模块"hash" SQL注入漏洞
发布日期:2013-05-17
更新日期:2013-05-17
受影响系统:
Grouppay Grouppay <= 1.5描述:
CVE(CAN) ID: CVE-2013-3536
WHMCS是电子商务的客户端管理、支付及支持解决方案。GroupPay是WHMCS的ClanPay。
WHMCS Group Pay模块1.x版本没有正确过滤grouppay.php的 "hash" GET参数值,在实现上存在安全漏洞,可导致任意SQL代码注入。
<*来源:Tim (darksock@uhagr.org)
链接:http://secunia.com/advisories/52804
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web: http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
#######################################################################
============
Introduction
============
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.
============
Exploits
============
- SQL Injection
grouppay.php?hash=%hash%' and '1'='1
============
Code SQL Injection
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
============
Fix
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$hash = mysql_real_escape_string($hash);
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
#######################################################################
建议:
厂商补丁:
Grouppay
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
浏览次数:1805
严重程度:0(网友投票)
绿盟科技给您安全的保障