amuck-landowner

WHMCS Module looking for beta testers - Crypty / Privcee

Status
Not open for further replies.
SrsX

SrsX

Banned
So, in light of all these hacks, I've "hacked" around WHMCS, modified a bunch of settings and files to write an amazing module, called Crypty/Privcee, it overrights the default registration system, along with client updating, etc. and encrypts all the data. Using a key you assign yourself(in configuration file), you can quickly encrypt all customers information, including but not limited to: Name, Address, Postcode/State/City, Email, etc.

We're searching for beta testers, if you're interested please let me know, I only listed a few features.

Images (note: email left un-encrypted till I modify the login system):

gN91GCF.png

5fzt38K.png

YP3IYpR.png

Hope you enjoy, please let me know suggestions, etc. I plan on encrypting tickets also, along with invoices and emails.

Todo: Make readable from admin panel.
 
Y

yolo

New Member
SrsX said:
Long time ago my friend. There is a lot better updated code, that was just some testing. Also, "anywhere near my code" - have you seen WHMCS's code? *facepalms*
Click to expand...
But that code I posted is less than a month old. So how is that long time ago?
 
WebSearchingPro

WebSearchingPro

VPS Peddler
Verified Provider
So it essentially makes all user data anonymous to the staff? That could be a problem since alot of our fraud identification is manual. 
 
Last edited by a moderator:
SrsX

SrsX

Banned
drmike said:
So, for matter of clarification here...

"Using a key you assign yourself(in configuration file)"

If, the server was compromised and the that config file was swiped, what would prevent decryption of everything?
Click to expand...
yes, I am working on a solution to that right now.... or at least attempting to.

WebSearchingPro said:
So it essentially makes all user data anonymous to the staff? That could be a problem since alot of our fraud identification is manual. 
Click to expand...
No, it decrypts it in the admin panel for staff. I'll update screenshots later.

Edit: here you go.

9qr8j8x.png
 
Last edited by a moderator:
SrsX

SrsX

Banned
drmike said:
So, for matter of clarification here...

"Using a key you assign yourself(in configuration file)"

If, the server was compromised and the that config file was swiped, what would prevent decryption of everything?
Click to expand...
As I just messaged you, if someone has the ability to access all your raw files, no amount of encryption will save you. This is more for SQLi attacks, etc. It wasn't really designed to help secure if you're hit with something like LFI.

GIANT_CRAB said:
Bullshit, this is fucking just base64_encode and serialize essentially?
Click to expand...
You'd be 99% incorrect, except for the base64 part, the output is base64 but there is more on the inside.
 
Last edited by a moderator:
GIANT_CRAB

GIANT_CRAB

New Member
SrsX said:
As I just messaged you, if someone has the ability to access all your raw files, no amount of encryption will save you. This is more for SQLi attacks, etc. It wasn't really designed to help secure if you're hit with something like LFI.

You'd be 99% incorrect, except for the base64 part, the output is base64 but there is more on the inside.
Click to expand...
No, I am 100% correct.

You don't even know what you're doing.
 
SrsX

SrsX

Banned
GIANT_CRAB said:
No, I am 100% correct.

You don't even know what you're doing.
Click to expand...
Actually, you're 99% incorrect.

I love it how you're assuming you know what you're talking about and doing, but if you actually want to look at the code so you can be proven incorrect you're more than welcome to PM me.

However, I'm going to assume you're one of those people whos butt will be sore when proven wrong.
 
Last edited by a moderator:
GIANT_CRAB

GIANT_CRAB

New Member
SrsX said:
Actually, you're 99% incorrect.

I love it how you're assuming you know what you're talking about and doing, but if you actually want to look at the code so you can be proven incorrect you're more than welcome to PM me.

However, I'm going to assume you're one of those people whos butt will be sore when proven wrong.
Click to expand...
Let me guess, PHP 5.5's new function: password_verify?

Dude, there's no way it can be ENCRYPTED when its just HASHED or basecode64.

Encryption is supposed to be slow and never possible to decrypt.
 
SrsX

SrsX

Banned
GIANT_CRAB said:
Let me guess, PHP 5.5's new function: password_verify?

Dude, there's no way it can be ENCRYPTED when its just HASHED or basecode64.

Encryption is supposed to be slow and never possible to decrypt.
Click to expand...
"Encryption is supposed to be slow and never possible to decrypt."

Where'd you get your facts from. Also it's not password_verify :).

"Ioncube encrypter.... ioncube decrypter"

Such encryption, very hard, wowe.
 
GIANT_CRAB

GIANT_CRAB

New Member
SrsX said:
"Encryption is supposed to be slow and never possible to decrypt."

Where'd you get your facts from. Also it's not password_verify :).

"Ioncube encrypter.... ioncube decrypter"

Such encryption, very hard, wowe.
Click to expand...
Ioncube code obfuscater, not encrypter or decrypter in any way.

You don't even know the difference between encryption and hash.
 
SrsX

SrsX

Banned
GIANT_CRAB said:
Ioncube code obfuscater, not encrypter or decrypter in any way.

You don't even know the difference between encryption and hash.
Click to expand...
OK, thats why I've been paid over $500 from WHMCS alone for reporting vulnerabilities.

It's all good, I'll just not report the next major one I find and go into your business and take the database.
 
GIANT_CRAB

GIANT_CRAB

New Member
SrsX said:
OK, dats y ive been paid over $500 from WHMCS alone for leborting vulnerabilities. :DDDDD

It's all good, ill just not lebort the next major one I find and go into your business and take the database. XDDD
Click to expand...
$500 hell note
 
Last edited by a moderator:
kaniini

kaniini

Beware the bunny-rabbit!
Verified Provider
SrsX said:
OK, thats why I've been paid over $500 from WHMCS alone for reporting vulnerabilities.

It's all good, I'll just not report the next major one I find and go into your business and take the database.
Click to expand...
What vulnerabilities exactly did you report because everyone else I know hasn't gotten jack from that bounty program.
 
Status
Not open for further replies.
Top
amuck-landowner