It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields:
=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-
break it down:
- the
=-999.9is just ending your current query 0x31303235343830303536isNULL– they are just matching the number of columns in your existing query. If you hadSELECT * FROM usersandusershad 4 columns, theUNIONmust also have 4 columns. As a result, they just used `NULL values to populate those columns.- the real confusion is in the
CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126 --is a mysql comment – it ignores the rest of your query after
Judging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.
See owasp.org for more information.