Thursday, March 30, 2017
Home / Security / Exploits / WHMCS SQLI Zero-Day & Script Leak

WHMCS SQLI Zero-Day & Script Leak

A few days ago, a zero-day SQL injection vulnerability in WHMCS was disclosed by localhost.re, along with the exploit code. It was quickly patched by the WHCMS team and rated as critical since it allows an attacker full access to the database hosting WHMCS:

“The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.

Creating a valid login is very easy and allowed by default through the registration page.”

WHMCS is very popular amongst hosts, it also contains sensitive customer data and if you use it, you need to patch it ASAP!

The script was leaked recently via forums:

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …