Hi all , was alot busy with my work , so now here comes some new stuff PHP object injection in all whmcs versions.
http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717
# Exploit Title : WHMCS <=5.2.12 PHP Object Injection
:Web Host Manager Complete Solution
# Date : 2013/10/24
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.whmcs.com
# Author HomePage : http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#PHP Object Injection
#Affected Versions:
WHMCS <=5.2.12
#Vulnerability Description
Poc
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
Some of the files which are calling sortableint() function are
/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php
#Independent Pakistani Security Researcher
http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717
# Exploit Title : WHMCS <=5.2.12 PHP Object Injection
:Web Host Manager Complete Solution
# Date : 2013/10/24
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.whmcs.com
# Author HomePage : http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#PHP Object Injection
#Affected Versions:
WHMCS <=5.2.12
#Vulnerability Description
Poc
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
Some of the files which are calling sortableint() function are
/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php
#Independent Pakistani Security Researcher
4 comments:
Thanks for sharing very good tips about php .I really like this blog.
php
http://hosthub.biz
www.bdwebs.com
This article has great values. I like to read your posts.
wez pozyczke
Post a Comment