Sql Injection
UNION Statement
Union can only operate on select statements with an equal number of columns being returned.
because of this we might want to sometimes add artificial columns to the statement to make the query even out.
NULL Fits all data types
Union Injection
First Order: Step 1 - Check if it is able to be injected
Step 2 - See how many columns the query sends back
- With ORDER BY
- Go in sequential order until you get an error back
- ORDER BY 1, etc
- With UNION
- Go in sequential order but with UNION
- UNION select 1,2,3
Step 3 - Find the location of the injection
- Its valuable to use numbers as junk data since it will give us information in regards to which tables are being used. For example if we test with
UNION select 1,2,3,4maybe we would only see 2,3, and 4.- In a case like this we will know that our grab for information can be placed in the second result. Say if we want to get the version of DB
UNION select 1,@@version,3,4
Database Enumeration
For MySQL we have a few ways we can finger print the system based on what we can get back.
If we have full query output then try SELECT @@version with MySQL you will gert a value and an error with other DBMS
if you only get a number back then try SELECT POW(1,1) you will get 1 back with MySQL and an error with other DBMS
With a blind attack SELECT SLEEP(5). With MySQL it will take 5 seconds to return the page and output a 0 and will not delay the response from other DBMS/