Results 1 to 8 of 8

Thread: whmcs hack

  1. #1
    Join Date
    Apr 2009
    Location
    inside wht
    Posts
    716

    whmcs hack

    One guy just showed me this http://www.mediafire.com/?drt52jgttnj

    He is telling easy to hack WHMCS upto latest version . I don't understand it fully ( in arabic ) .

    http://www.sec-code.com/vb/showthread.php?p=32770

    Do anyone know about this news ,

  2. #2
    This is what translated text comes up in english
    Peace be upon you

    This is the first explained to me in the Forum




    The explanation is a WHMCS Gap in the Script Support WHMCS does not penetrate the sites, or hosting companies


    God Mattbakoh Arab sites
    Download link:http://www.mediafire.com/?drt52jgttnjw
    I also saw the Video.
    the guy was using SQL injection technique to hack by directly passing commands to database from browser's address bar.And according to the video, WHMCS seems not to be filtering queries and they get executed. directly by database which is bad; if its true.

    However the irony is, that He was already logged in as Admin user. So I am assuming he had full access to all WHMCS functions. for normal user this method is mostly likely to failt.

    So I won't call it a "hack".

    btw, the compression used in that file is pretty amazing. 1.4MB files exacts into 64mb video. lol

  3. #3
    Quote Originally Posted by Gary4gar View Post
    btw, the compression used in that file is pretty amazing. 1.4MB files exacts into 64mb video. lol
    The video has such bigger size because is compressed using Microsoft Video1 format

  4. #4
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    Well, I have seen this "hack" but it's a bit more involved to get it to work and a fix was already introduced into 4.0.1. Not to mention any host with decent mod_security rules would filter out a SQL union injection.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  5. #5
    To be honest it's a fairly worthless "hack" anyway, since it works on the assumption that the MD5 hashed password will be based on a common dictionary word and be publically rainbow tabled. If your password is the least bit secure, you should be fine.

    Additionally, you should always lock down your WHMCS Administration area by IP address. Easily accomplished with a .htaccess file, so even if your password is obtained, it's useless since they can't access the relevant area.

  6. #6
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Quote Originally Posted by JulesR View Post
    To be honest it's a fairly worthless "hack" anyway, since it works on the assumption that the MD5 hashed password will be based on a common dictionary word and be publically rainbow tabled. If your password is the least bit secure, you should be fine.

    Additionally, you should always lock down your WHMCS Administration area by IP address. Easily accomplished with a .htaccess file, so even if your password is obtained, it's useless since they can't access the relevant area.
    Excellent tip but sadly probably not something a lot of people do. You can also rename the administration folder to something less default.

    By the way as mentioned... the .htaccess would be:
    Code:
    order deny,allow
    deny from all
    allow from x.x.x.x
    Replace x.x.x.x with your IP address of the PC you will be connecting from. (If it's static)
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  7. #7
    Quote Originally Posted by serverorigin View Post
    You can also rename the administration folder to something less default.
    Also another great tip Thanks for posting the .htaccess content, hopefully it'll help someone somewhere become that little bit more secure.

    EDIT: Just to add, even if your IP address isn't static, you should be able to update your .htaccess file from FTP anyway, so please don't let a dynamic IP address put you off.

  8. #8
    Join Date
    Feb 2009
    Location
    United States
    Posts
    378
    For those of you with a dynamic IP:
    Code:
    Order Deny,Allow
    
    deny from all
    
    #If your dynamic IP always begins the same, copy the part of the IP that does not change
    #12.34.56.78 would be:
    allow from 12.34
    
    #If your dynamic IP always changes, but the hostname remains similar
    #Copy the part of the hostname that does not change
    #For example, 12-34-56-78.westcoast.isp.com would be:
    allow from westcoast.isp.com
    Victor Lugo
    Systems Administrator

Similar Threads

  1. Replies: 3
    Last Post: 02-11-2008, 10:41 AM
  2. Br0keN-Pr0xy hack - FIX (the popular index defacement hack)
    By layer0 in forum Hosting Security and Technology Tutorials
    Replies: 5
    Last Post: 09-09-2006, 01:23 PM
  3. Replies: 0
    Last Post: 05-23-2006, 07:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •