####################################################################### Tile: WHMCS grouppay plugin SQL Injection <= 1.5 Author: HJauditing Employee Tim E-mail: Tim@HJauditing.com Web: http://hjauditing.com/ Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html ####################################################################### ============ Introduction ============ We have found a SQL injection inside the group pay plugin for WHCMS. A lot of game hosting companies are using this plugin. SQL Injection is in the function gp_LoadUserFromHash. ============ Exploits ============ - SQL Injection grouppay.php?hash=%hash%' and '1'='1 ============ Code SQL Injection ============ /modules/addons/group_pay/functions_hash.php function gp_LoadUserFromHash($hash) { //Kill the Dashes $hash = str_replace ( "-", "", $hash ); $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" ); if($result){ $row = mysql_fetch_row ( $result ); return $row [0]; }else{ return false; } } ============ Fix ============ /modules/addons/group_pay/functions_hash.php function gp_LoadUserFromHash($hash) { //Kill the Dashes $hash = str_replace ( "-", "", $hash ); $hash = mysql_real_escape_string($hash); $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" ); if($result){ $row = mysql_fetch_row ( $result ); return $row [0]; }else{ return false; } } #######################################################################?