#################################
Tile: WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web: http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
##################################
============
Introduction
============
We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.
============
Exploits
============
- SQL Injection
grouppay.php?hash=%hash%' and '1'='1
============
Code SQL Injection
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
============
Fix
============
/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
//Kill the Dashes
$hash = str_replace ( "-", "", $hash );
$hash = mysql_real_escape_string($hash);
$result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
if($result){
$row = mysql_fetch_row ( $result );
return $row [0];
}else{
return false;
}
}
#############################
References:
http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information