# Exploit Title         : WHMCS <=5.1.12 PHP Object Injection
                               Web Host Manager Complete Solution
# Date                    : 2013/10/24
# Exploit Author    : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link     : http://www.whmcs.com
# Author HomePage   : http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

#PHP Object Injection

#Affected Versions:
WHMCS <=5.1.12

#Vulnerability Description 
Poc
 
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

      $sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
      $sortdata = unserialize( base64_decode( $sortdata ) );
      
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.

Some of the files which are calling sortableint() function are 

/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php


#Independent Pakistani Security Researcher