# WHMCS Module looking for beta testers - Crypty / Privcee



## SrsX (Jan 8, 2014)

So, in light of all these hacks, I've "hacked" around WHMCS, modified a bunch of settings and files to write an amazing module, called Crypty/Privcee, it overrights the default registration system, along with client updating, etc. and encrypts all the data. Using a key you assign yourself(in configuration file), you can quickly encrypt all customers information, including but not limited to: Name, Address, Postcode/State/City, Email, etc.

We're searching for beta testers, if you're interested please let me know, I only listed a few features.

Images (note: email left un-encrypted till I modify the login system):







Hope you enjoy, please let me know suggestions, etc. I plan on *encrypting tickets also, along with invoices and emails.*

Todo: Make readable from admin panel.


----------



## yolo (Jan 8, 2014)

I would not come anywhere near your code

 



$password = str_replace('exec', '', $password);
$password = str_replace('eval', '', $password);
I just cant comprehend the stupidity behind this

https://github.com/SrsX/MyPanel/blob/master/login.php#L27-L28


----------



## SrsX (Jan 8, 2014)

yolo said:


> I would not come anywhere near your code
> 
> 
> 
> ...


Long time ago my friend. There is a lot better updated code, that was just some testing. Also, "anywhere near my code" - have you seen WHMCS's code? *facepalms*


----------



## yolo (Jan 8, 2014)

SrsX said:


> Long time ago my friend. There is a lot better updated code, that was just some testing. Also, "anywhere near my code" - have you seen WHMCS's code? *facepalms*


But that code I posted is less than a month old. So how is that long time ago?


----------



## MartinD (Jan 8, 2014)

Well, this looks like a popcorn thread in the making.


----------



## SrsX (Jan 8, 2014)

yolo said:


> But that code I posted is less than a month old. So how is that long time ago?


If you want to keep trying to trash this thread, please do. It's getting amusing.


----------



## WebSearchingPro (Jan 8, 2014)

So it essentially makes all user data anonymous to the staff? That could be a problem since alot of our fraud identification is manual.


----------



## drmike (Jan 8, 2014)

So, for matter of clarification here...

*"Using a key you assign yourself(in configuration file)"*

If, the server was compromised and the that config file was swiped, what would prevent decryption of everything?


----------



## scv (Jan 8, 2014)

Essentially as useful as WHMCS cc_encryption_hash.


----------



## SrsX (Jan 8, 2014)

drmike said:


> So, for matter of clarification here...
> 
> *"Using a key you assign yourself(in configuration file)"*
> 
> If, the server was compromised and the that config file was swiped, what would prevent decryption of everything?


yes, I am working on a solution to that right now.... or at least attempting to.



WebSearchingPro said:


> So it essentially makes all user data anonymous to the staff? That could be a problem since alot of our fraud identification is manual.


No, it decrypts it in the admin panel for staff. I'll update screenshots later.

Edit: here you go.


----------



## GIANT_CRAB (Jan 8, 2014)

Bullshit, this is fucking just base64_encode and serialize essentially?


----------



## SrsX (Jan 8, 2014)

drmike said:


> So, for matter of clarification here...
> 
> *"Using a key you assign yourself(in configuration file)"*
> 
> If, the server was compromised and the that config file was swiped, what would prevent decryption of everything?


As I just messaged you, if someone has the ability to access all your raw files, no amount of encryption will save you. This is more for SQLi attacks, etc. It wasn't really designed to help secure if you're hit with something like LFI.



GIANT_CRAB said:


> Bullshit, this is fucking just base64_encode and serialize essentially?


You'd be 99% incorrect, except for the base64 part, the output is base64 but there is more on the inside.


----------



## GIANT_CRAB (Jan 8, 2014)

SrsX said:


> As I just messaged you, if someone has the ability to access all your raw files, no amount of encryption will save you. This is more for SQLi attacks, etc. It wasn't really designed to help secure if you're hit with something like LFI.
> 
> You'd be 99% incorrect, except for the base64 part, the output is base64 but there is more on the inside.


No, I am 100% correct.

You don't even know what you're doing.


----------



## SrsX (Jan 8, 2014)

GIANT_CRAB said:


> No, I am 100% correct.
> 
> You don't even know what you're doing.


Actually, you're 99% incorrect.

I love it how you're *assuming* you know what you're talking about and doing, but if you actually want to look at the code so you _can be proven incorrect_ you're more than welcome to PM me.

However, I'm going to assume you're one of those people whos butt will be sore when proven wrong.


----------



## GIANT_CRAB (Jan 8, 2014)

SrsX said:


> Actually, you're 99% incorrect.
> 
> I love it how you're *assuming* you know what you're talking about and doing, but if you actually want to look at the code so you _can be proven incorrect_ you're more than welcome to PM me.
> 
> However, I'm going to assume you're one of those people whos butt will be sore when proven wrong.


Let me guess, PHP 5.5's new function: password_verify?

Dude, there's no way it can be ENCRYPTED when its just HASHED or basecode64.

Encryption is supposed to be slow and never possible to decrypt.


----------



## SrsX (Jan 8, 2014)

GIANT_CRAB said:


> Let me guess, PHP 5.5's new function: password_verify?
> 
> Dude, there's no way it can be ENCRYPTED when its just HASHED or basecode64.
> 
> Encryption is supposed to be slow and never possible to decrypt.


"_Encryption is supposed to be slow and never possible to decrypt._"

Where'd you get your facts from. Also it's not password_verify .

"Ioncube encrypter.... ioncube decrypter"

Such encryption, very hard, wowe.


----------



## GIANT_CRAB (Jan 8, 2014)

SrsX said:


> "_Encryption is supposed to be slow and never possible to decrypt._"
> 
> Where'd you get your facts from. Also it's not password_verify .
> 
> ...


Ioncube code obfuscater, not encrypter or decrypter in any way.

You don't even know the difference between encryption and hash.


----------



## SrsX (Jan 8, 2014)

GIANT_CRAB said:


> Ioncube code obfuscater, not encrypter or decrypter in any way.
> 
> You don't even know the difference between encryption and hash.


OK, thats why I've been paid over $500 from WHMCS alone for reporting vulnerabilities.

It's all good, I'll just not report the next major one I find and go into your business and take the database.


----------



## GIANT_CRAB (Jan 8, 2014)

SrsX said:


> OK, dats y ive been paid over $500 from WHMCS alone for leborting vulnerabilities. DDDD
> 
> It's all good, ill just not lebort the next major one I find and go into your business and take the database. XDDD


$500 hell note


----------



## kaniini (Jan 8, 2014)

SrsX said:


> OK, thats why I've been paid over $500 from WHMCS alone for reporting vulnerabilities.
> 
> It's all good, I'll just not report the next major one I find and go into your business and take the database.


What vulnerabilities exactly did you report because everyone else I know hasn't gotten jack from that bounty program.


----------



## HalfEatenPie (Jan 8, 2014)

Closed Upon Request.


----------

