search

SQLi

hashtag
UNION Injection

UNION allows you to combine two search queries together. Once you find the injection point, you can use UNION to craft another query to get the information you are looking for.

When crafting a UNION query, you need to include the same amount of columns as there are in the original query. You can use ORDER By to help figure that. You can also create the query with NULL for each column. The other tricky part is that the data type for each column must be the same in both queries. You cannot had a number and string in the same column.

hashtag
Getting Amount of Columns with ORDER BY

ORDER BY 1
ORDER BY 2
ORDER BY 3
ORDER BY 4
...

Continue this pattern until you get an error which would suggest the last successful ORDER BY number is the amount of columns.

hashtag
Getting the Amount of Columns with UNION

UNION SELECT NULL
UNION SELECT NULL,NULL
UNION SELECT NULL,NULL,NULL
UNION SELECT NULL,NULL,NULL,NULL
...

Continue this pattern until you no longer get an error. Count the NULL and that is how many columns are in the original query.

hashtag
MySQL

Using MySQL to look at files

hashtag
group_concat()

group_concat() gets the specified column from multiple returned rows and puts into one string separated

https://www.w3resource.com/mysql/aggregate-functions-and-grouping/aggregate-functions-and-grouping-group_concat.phparrow-up-right https://www.mysqltutorial.org/mysql-group_concat/arrow-up-right

hashtag
Clauses

DISTINCT: Eliminates duplicate values ORDER BY: Sorts the values in either descending or ascending order. (Default is ascending order use DESC for descending.) SEPARATOR: Specify a character to use between each valued concatenated together. By default , is used.

hashtag
Oracle

hashtag
UNION

Oracle requires a FROM in UNIONs unlike MSSQL or MySQL.

hashtag
List Databases:

hashtag
List Tables

hashtag
List Columns From Specific Table

hashtag
List Columns and Table Names

hashtag
Get Data from Table

hashtag
Authentication Bypass

hashtag
Resources

hashtag
General

http://pentestmonkey.net/category/cheat-sheet/sql-injectionarrow-up-right http://www.securityidiots.com/Web-Pentest/SQL-Injection/arrow-up-right https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL Injectionarrow-up-right https://sqlwiki.netspi.com/attackQueries/executingOSCommands/#mysqlarrow-up-right

hashtag
Authentication Bypass

https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/arrow-up-right

hashtag
MSSQL

https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/arrow-up-right https://www.exploit-db.com/papers/12975arrow-up-right https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/MSSQL Injection.mdarrow-up-right

hashtag
MYSQL

https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/arrow-up-right https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/MySQL Injection.mdarrow-up-right

hashtag
Oracle

http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.htmlarrow-up-right https://cheatography.com/dormidera/cheat-sheets/oracle-sql-injection/arrow-up-right https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/OracleSQL Injection.mdarrow-up-right

PreviousAttacksNextFile Inclusion

Last updated