WHMCS Hacking with Sumbit Ticket exploit

Hi Mates !
Today we are going to learn, how to Hack WHMCS or you can say its submit ticket exploit ,through which we will we will get the cpanel username and password of hosting panel and website hosted on that whmcs.
lets start
step 1 
Get a website which provide hosting  and find out the option  ” submit ticket”
step 2
now open submit ticket option and click on sales department
st1.png (1366×774)
step 3
now we have to fill the following
info like “name , email address, urgency put any random info is these fields and main thing is subject filed”
st2.png (1366×768)
fill this code in subject field



and scroll down fill the Captcha click the submit button
st3.png (1366×768)

we will be redirected to next page where it will show cpanel username and password
boom ! you have cpanel usernames and passwords of hosting panel,website hosted on that server
if you are lucky , you may also get the FTP and SMTP passwords too !
st5.png (1368×610)

ok it was all about the the cpanel,FTP and SMTP passwords  if whmcs dont have any website hosted on it you wont get anything then ????????
dont be sad 🙂
we have one more trick and this will help you to upload the shell on whmcs website 🙂
how ???
lets move 🙂
come back to the submit ticket page put any random info in email,name and urgency field
 main step is to put the php code in subject field this time we are going to put the php code, if it got executed successfully we will get a uploader on the website through which  we will be able to upload shell on the website so lets start
fill the any random info in other fields and put this php code in subject field



fill the captcha  click enter, now first of all , have a look on the submit ticket url 
for example 
http://www.website.com/client/submitticket.php 
so to get the uploader replace the submitticket.php with downloads/indexx.php
remember its indexx.php,when code will execute , it will create indexx.php and its uploader
so open the url
http://www.website.com/client/downloads/indexx.php
you will see file upload option !
st6.png (1368×768)
browse the shell and click upload  after uploading shell
opn the url
http://www.website.com/client/downloads/shell_name.php
hell yeah
owned 😀

[Guest Post]

Read more: WHMCS Hacking with Sumbit Ticket exploit

Story added 5. May 2012, content source with full text you can find at link above.