Hacking News Opinions Security

Barking up the wrong tree

Investigating what I thought could be an SQL Injection in WHMCS

For those of you who haven’t heard of WHMCS before, you may have heard of cPanel/WHM? cPanel is a very popular control panel installed to many web servers worldwide (WHM is the administration panel that sits behind it).

WHMCS is a very popular billing system which integrates seamlessly with cPanel and WHM for automatic account creation. In my opinion, it hasn’t had a great security history. It’s probably better these days, but I recall reporting an XSS vulnerability to them a few years ago and I wasn’t particularly happy with the way they prioritised it.

Recently, I was logged onto a WHMCS instance used by one of the hosting companies I use. For reasons that aren’t relevant, I tried to disable two factor authentication on my account. When you try to do this on WHMCS, it asks you for your password. I input my password, but the system said my password was wrong? It certainly wasn’t – I put it in straight from my password manager.

I observed my password contained a quote, and wondered whether this could be triggering some sort of SQL issue.

To test this, I changed my password to the same value, but removed the single quote. This time, disabling Two Factor Authentication worked fine, without error.

Have I just discovered an SQL Injection in WHMCS? This seemed serious enough for me to investigate – it was certainly behaving in a way it shouldn’t.

I purchased a monthly license, and installed WHMCS to my local machine. Further testing needed to be done.

The source code of WHMCS is closed source and obfuscated, so it’s not as easy as looking at the source code to see what it’s doing.

I registered a new client account, ensuring to put a quote in my password, and I was able to replicate the issue locally. The version I installed was 8.0.4 – I haven’t tested other versions.

I decided to load Burpsuite to try and capture the registration request before it was passed onto the server. From here, I exported the request and loaded it into SQLMap – a useful tool for automatically testing for SQL vulnerabilities. To my surprise, SQLMap didn’t find any SQL vulnerabilities.

I wasn’t going to leave it there though – this code was misbehaving and I wanted to find out why. When quotation marks cause errors in user inputs, it is often indicative of an SQL error and potential SQL Injection risk. If SQLMap couldn’t identify any SQL injection risks, why was this code misbehaving?

After much discussion and help from atthacks, we identified the issue we were dealing with wasn’t an SQL Injection risk – disappointing, I thought I was onto something here!

As part of our analysis, we registered an account with the following password: password’

We then took the hash from the database and cracked it using John.

The output from John the Ripper

As we can see, the quote has stored in the database as '. Therefore, as far as the system is concerned, my password was actually password', not password’. The quote seems to have been represented as the ASCII code for a quote, rather than the quote itself.

The question is, why would they do this? Technically, you can limit SQL Injection risks by removing quotes, but it certainly shouldn’t be relied upon. There are potential ways around this. They should be using proper parameterised queries to fully mitigate SQL injection vulnerabilities. I can only assume they’re doing both, as I found no way to leverage this into an SQL Injection.

This is completely unnecessary – parameterised queries will eliminate the SQLi risk. Encoding the quotation marks offers no further protection and breaks functionality.

The thing that bothers me most about this though is how this bug hasn’t been picked up on a penetration test? This bug isn’t a security bug, but a penetration test would have easily identified this. Do they not pentest their software before they make the software available? Was this tested but missed? Or, was it identified during testing, but added to the pile of bugs not worth fixing? Who knows – it does highlight serious concerns though at the level of security testing they do prior to releasing their software though. I’ve used WHMCS myself in previous jobs – I can’t say I have enough trust in its security these days, especially when you consider the type of data it should be securing.


Picking my first lock

…and my second

Given my obvious interest in cyber security, I decided to give physical penetration testing a go. A lot of cyber security professionals use lock-picking skills when out in the field, so it’s an important to skill to learn.

Knowing absolutely nothing about lock picking, I decided to buy the first lock picking kit I could kind from a quick search online. I settled with a ‘Lokko’ Lock Pick Set from UK BumpKeys. I confess – I still know very little about lock-picking so please bare this in mind when reading this post. 🙂

The set consisted of a 12-piece lock set, two practice locks, a credit card concealed lock picking set, and a number of tension levers.

The set came with an e-book (though you can pay extra for a real book if you wish) which describes the basics of lock-picking. I haven’t actually read the book yet, as I watched a couple of basic lock-picking videos on YouTube before the set arrived in the post.

Before trying to pick a lock, we need to understand a few of the lock types. A common lock type (most often seen in padlocks) is a basic pin lock. Aside from the terrible background music, this video by DaveHax on YouTube is helpful in explaining the basic fundamentals of picking a pin-based lock. I recommend giving it a watch if you don’t already understand the basics.

What picks do we have?

As you can see, there are 12 picks in this set. I’m still yet to learn about the different types of picks myself, but from what I have learnt so far, you have a few picks designed to target individual lock pins (starting from the left), moving onto your rake style picks on the right which target several pins at once in a more brute-force style of picking. The one on the end is apparently called a snowman – I have no idea what this one is for?

I managed to pick both locks several times in the picking kit using a variety of different picks – the first attempt only took a few minutes. I found the practice locks fairly straight-forward. These locks have the obvious advantage that they are transparent, allowing you to see the individual pins as you pick them. This makes it far easier, but after a short-while, I found I was able to pick them without looking at the pins.

It’s really exciting when you manage to pick your first lock, but the effect quickly wears off when you realise the lock you have picked a lock that is designed to be picked. My next step was to buy a real lock.

I went onto eBay and ordered one of the first few locks I could find (a Master Lock M5). I picked two of these locks up for £12.99.

It was only after I purchased both locks I noticed the following wording in the product description:

“The 4-pin cylinder prevents picking”

As someone who has only picked a couple of practice locks, there’s no way I could pick a lock which “prevents picking”, right? Wrong!

The M5 lock is certainly a lot more difficult to pick and I need to give it some more practice, but I was relieved that I was able to successfully pick this despite the (rather inaccurate) product description. Picking a real lock gives far more satisfaction than picking a practice lock. I guess I’m going to have to order more to practice my new hobby on.