Here again new 0day of
WHMCS.
It's affect the Version 5.2.8 ( Current Version)
Again shit poor coding in new version of WHMCS .
Epicness not over . They make same mistake in
/includes/dbfunctions.php
We can manipulate the GET/POST variables and end up with something like $key
= array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');
By using this Vulnerability we can also change the /configuration.php to
whatever we want.
Vulnerability Deatils:
/includes/dbfunctions.php:
<?php
function select_query($table,
$fields, $where, $orderby = '', $orderbyorder = '', $limit = '', $innerjoin = '')
{
global $CONFIG;
global $query_count;
global $mysql_errors;
global $whmcsmysql;
if (!$fields) {
$fields = '*';
}
$query = 'SELECT ' . $fields . ' FROM ' . db_make_safe_field($table);
if ($innerjoin) {
$query .= ' INNER JOIN ' . db_escape_string($innerjoin);
}
if ($where) {
if (is_array($where)) {
$criteria = array();
foreach ($where as $origkey => $value)
{
$key = db_make_safe_field($origkey);
if (is_array($value)) {
if ($key == 'default') {
$key = '`default`';
}
if ($value['sqltype'] == 'LIKE') {
$criteria[] = $key . ' LIKE \'%' . db_escape_string($value['value'])
. '%\'';
continue;
}
if ($value['sqltype'] == 'NEQ') {
$criteria[] = $key . '!=\'' . db_escape_string($value['value'])
. '\'';
continue;
}
if ($value['sqltype'] == '>') {
$criteria[] = $key . '>' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '<') {
$criteria[] = $key . '<' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '<=') {
$criteria[] = $origkey . '<=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == '>=') {
$criteria[] = $origkey . '>=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'TABLEJOIN')
{
$criteria[] = $key . '=' . db_escape_string($value['value']);
continue;
}
if ($value['sqltype'] == 'IN') {
$criteria[] = $key . ' IN (\'' . implode('\',\'',
db_escape_array($value['values'])) . '\')';
continue;
}
continue;
}
[...]
?>
So why wait for WHMCS to fix it :p
