The WHCMS Exploit…

The WHCMS Exploit…

So, there has been some low level hype over this WHCMS 0day that was for sale a while back, for the extortionate price of $6k. Sure, some exploits are worth that, but definately not a friggin blind SQLi vuln. Does that mean I can sell RFI bugs for $10k “because they are more dangerous”? I somehow doubt it…

Anyway, as I was considering beginning some fuzzing of WHCMS, I noticed the following post on Full Disclosure – The FD Post

So, like many people, I downloaded the provided scripts and had a look. Having been burned before with the “OOH SHINY – OOH SHIT I GOT RM’d” syndrome, I decided to FULLY read the code first.

exploit.py seems to simply check for the vulnerable part, and tells you if you can own it or not. For archival reasons it is mirrored on my pastebin -> http://pastebin.com/QS9ZRYyc

blind_sqli.py is FAR more interesting. It is a full blown, explicitly targetted Blind SQL Injection script. You point it at your target, let it run, and bam. Admin login creds come out. Fairly well written for a “lame PoC”, and I have archived it pn my pastebin also -> http://pastebin.com/WB3BnB2G

Now I have not bothered getting a copy of WHCMS to test this all out on, as it is not so interesting to me, but seriously. This sold for 6 grand? I wonder how much my SCADA/WinCC/MiniWeb DoS would have sold for?

Anyways, I’m off. Not taking any responsibility for what is done using those scripts I mirrored, but apparently “EVERYONE WAS GETTING OWNED” or something. nice.

~infodox