WHMCS SQL Injection: Extracting Admin Credentials

WHMCS SQL Injection: Extracting Admin Credentials
What this paper is
This paper details a SQL injection vulnerability found in WHMCS (WHMCompleteSolution), a web application used for client management and billing. The exploit allows an attacker to extract sensitive information, specifically usernames and passwords of administrators, by manipulating database queries through the submitticket.php script.
Simple technical breakdown
The vulnerability lies in how the submitticket.php script handles user input, specifically the deptid parameter. When this parameter is not properly sanitized, an attacker can inject malicious SQL code. This code leverages the UNION ALL SELECT SQL statement to combine the results of a crafted query with the original, legitimate query. The crafted query is designed to select specific columns (like username and password) from a table containing administrator credentials (tbladmins).
Complete code and payload walkthrough
The provided exploit is a URL string, not traditional code with functions or shellcode. It demonstrates how to craft a malicious HTTP request to trigger the SQL injection.
Exploit URL Structure:
http://site/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,message,6,7,8,9,10 from tbltickets--%20
Breakdown of the Exploit URL:
http://site/submitticket.php?step=2: This is the legitimate entry point to the WHMCS ticket submission page.step=2likely indicates a specific stage in the ticket submission process.&deptid=001': This is the vulnerable parameter.001: A seemingly valid department ID.': This single quote is crucial. It closes the expected string literal for thedeptidparameter, allowing the attacker to inject SQL code.
and 1=0: This condition is always false. Its purpose is to ensure that the original query (which would normally fetch data related to department ID001) returns no rows. This makes it easier for the injectedUNION ALL SELECTstatement's results to be displayed.union all select 1,2,3,4,message,6,7,8,9,10 from tbltickets: This is the core of the injection.union all select: This SQL operator combines the result set of two or moreSELECTstatements.ALLmeans duplicate rows are included.1,2,3,4,message,6,7,8,9,10: These are the columns being selected. The attacker is trying to match the number of columns expected by the original query. By replacing some of these numbers with actual column names from a target table, they can extract data. In this specific example,messageis being selected fromtbltickets. This suggests an initial attempt to extract ticket messages.from tbltickets: This specifies the table from which to retrieve data.tblticketsis likely a table storing support ticket information.
--%20: This is a comment in SQL.--: This signifies the start of a comment in many SQL dialects.%20: This is the URL-encoded representation of a space. The space after--is important for the comment to be correctly interpreted by the database. This effectively comments out any remaining part of the original SQL query, preventing syntax errors.
Second Exploit URL (for credential extraction):
http://ste/support/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,username,6,7,8,password,10 from tbladmins--%20
Key Differences and Purpose:
http://ste/support/submitticket.php: A different example URL, but the principle is the same.&deptid=001' and 1=0 union all select 1,2,3,4,username,6,7,8,password,10 from tbladmins: This is the critical change.username: The attacker is now attempting to extract theusernamecolumn.password: The attacker is attempting to extract thepasswordcolumn.from tbladmins: The target table is nowtbladmins, which is highly likely to contain administrator login credentials.
Mapping:
submitticket.php?step=2&deptid=...: Entry point and vulnerable parameter.': Closes the expected string fordeptid, enabling SQL injection.and 1=0: Ensures the original query returns no results.union all select ...: Combines attacker's query with the original.1,2,3,4,message,6,7,8,9,10 from tbltickets: Example of extracting ticket messages.1,2,3,4,username,6,7,8,password,10 from tbladmins: Example of extracting admin usernames and passwords.--%20: Comments out the rest of the original query.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated. This vulnerability can be exploited by any user who can send an HTTP request to the target application.
- Lab Preconditions:
- A running instance of WHMCS (or a similar application with the same vulnerability) that is accessible via HTTP/HTTPS.
- Knowledge of the target application's URL structure.
- A database backend for WHMCS (e.g., MySQL).
- Tooling Assumptions:
- A web browser for manual testing or crafting requests.
- An HTTP proxy (like Burp Suite or OWASP ZAP) to intercept and modify requests.
- SQL injection specific tools (e.g., sqlmap) could potentially automate this, but manual crafting is demonstrated here.
- Execution Pitfalls:
- Column Count Mismatch: The
UNION ALL SELECTstatement requires the number of columns in the injectedSELECTto match the number of columns in the original query. If this count is wrong, the query will fail. The attacker might need to perform trial-and-error or use error-based SQL injection techniques to determine the correct column count. - WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) may detect the
',UNION,SELECT, and comment patterns. Obfuscation techniques might be necessary (e.g., using different comment styles, URL encoding variations, case variations). - Database Specific Syntax: While
UNION ALL SELECTis common, specific database systems might have minor syntax variations or different table/column names. - Output Encoding: The extracted data might be URL-encoded or HTML-encoded by the application before being displayed, requiring decoding.
- Authentication Bypass: This exploit focuses on data extraction. If the goal is to gain administrative access, further steps like password cracking or session hijacking might be needed after obtaining credentials.
- Column Count Mismatch: The
- Tradecraft Considerations:
- Reconnaissance: Identify the target application (WHMCS) and its version. Google Dorks provided in the paper (
Powered by WHMCompleteSolution,inurl:WHMCS) are excellent starting points. - Targeted Parameter Identification: Focus on parameters that are likely to be used in database queries, especially those related to IDs or lookups.
- Payload Crafting: Carefully construct the
UNION ALL SELECTstatement, paying close attention to the number of columns and the names of sensitive tables/columns. - Stealth: Avoid overly aggressive scanning that might trigger alerts. Manual, targeted requests are often more discreet.
- Data Exfiltration: Plan how to exfiltrate the extracted data without raising suspicion. This might involve embedding it in seemingly legitimate requests or using out-of-band techniques if available.
- Reconnaissance: Identify the target application (WHMCS) and its version. Google Dorks provided in the paper (
Where this was used and when
- Software: WHMCS (WHMCompleteSolution)
- Vulnerability Type: Remote SQL Injection
- Approximate Year of Discovery/Publication: 2010 (as per the paper's publication date).
- Usage Context: This type of vulnerability would be exploited against web servers hosting WHMCS installations. The goal is typically to gain access to administrator credentials for the WHMCS panel, which could then be used to:
- Access sensitive client data (personal information, billing details).
- Manipulate billing information or create fraudulent services.
- Use the WHMCS panel as a pivot point to attack other systems hosted on the same infrastructure.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical defense. All user-supplied input, especially data used in database queries, must be rigorously validated and sanitized. This includes:
- Parameterized Queries (Prepared Statements): Use parameterized queries provided by the database driver. This separates SQL code from data, preventing injected code from being executed.
- Whitelisting: Only allow known-good characters or patterns for input.
- Escaping Special Characters: Properly escape characters that have special meaning in SQL (like
',",;,--).
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common SQL injection patterns. Keep WAF rules updated.
- Least Privilege Principle: Ensure the database user account used by the web application has only the minimum necessary privileges. It should not have permissions to select from sensitive tables like
tbladminsif not absolutely required for its function. - Regular Patching and Updates: Keep WHMCS and all its dependencies updated to the latest versions. Vendors frequently release patches for known vulnerabilities.
- Security Audits and Code Reviews: Regularly audit web application code for potential vulnerabilities, including SQL injection flaws.
- Monitoring and Logging: Implement robust logging for database queries and web server access. Monitor logs for suspicious activity, such as unusual query patterns or access to sensitive tables.
- Error Handling: Configure error handling to prevent detailed database error messages from being exposed to the user, as these can often provide clues to attackers.
ASCII visual (if applicable)
This exploit is a direct manipulation of an HTTP request to the web application, which then interacts with the database. A simple flow can be visualized:
+-----------------+ +-------------------+ +-----------------+
| Attacker's | ---> | WHMCS Web Server | ---> | Database Server |
| HTTP Request | | (submitticket.php)| | (tbladmins) |
| (Malicious URL) | +-------------------+ +-----------------+
+-----------------+ |
| (Vulnerable Input Handling)
v
+-------------------+
| SQL Injection |
| (UNION ALL SELECT)|
+-------------------+
|
v
+-------------------+
| Data Exfiltration |
| (Username/Password)|
+-------------------+Source references
- Paper ID: 12371
- Paper Title: WHMCompleteSolution (WHMCS) control (WHMCompleteSolution) - SQL Injection
- Author: Islam DefenDers
- Published: 2010-04-24
- Exploit-DB URL: https://www.exploit-db.com/papers/12371
- Raw Exploit URL: https://www.exploit-db.com/raw/12371
Original Exploit-DB Content (Verbatim)
#=Info=======================================================================#
# Software: WHMCS control (WHMCompleteSolution) Sql Injection #
# #
# Vulnerability: Remote Sql Injection #
# Google Dork: Powered by WHMCompleteSolution - or " inurl:WHMCS #
# Off. site: www.MiXaTy.com #
#============================================================================#
#=Author==============================================#
# Author: Islam DefenDers #
# Date: 24.04.2010 #
# Contact: email: hackereg@hotmail.com #
#====================================================#
#=Sql Injection===========================================================================================================================================================#
# Exploit: http://site/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,message,6,7,8,9,10 from tbltickets--%20
# DOWNLOAD : http://www.whmcs.com/
# Live demo: http://ste/support/submitticket.php?step=2&deptid=001' and 1=0 union all select 1,2,3,4,username,6,7,8,password,10 from tbladmins--%20
#=========================================================================================================================================================================#
#=Greetz==================================#
# IsLam DefenDers Mr.HaMaDa #
#=======================================#
HaMaDa SCoOoRPioN - DR.B@HY - MiXaTy TeaM - Islam DefenDers TeaM
site: www.mixaty.com
E: hackereg@hotmail.com