1

How does union select statement output vulnerable columns in sql injection

Consider a SQL vulnerable site.

Let the number of columns in the query be 3.

So the statement goes, www.test.com?php.id=-1' union select 1,2,3 --+-

My understanding of this statement is like this.

There are 2 statements Union is used to join both statements. (-) is used to null the value of the first statement. ' is used to break the query and input a second statement and --+- is used to comment out the rest of the statement. Upon inputting this statement, The website displays 2 and 3 as vulnerable columns.

What I don't get is that how a select statement displays the vulnerable columns.

Improve this question
2
  • I'm not sure to clearly understand your question. You mention the term "vulnerable column", but there are no such things as "vulnerable columns" in an SQL injection, the vulnerability resides in application using the database. The "UNION" SQL keyword then allows to unite the legitimate SQL query with the forged one in order to access some information normally not accessible. Commented May 16, 2015 at 16:41
  • i mean this, now see the question Commented May 16, 2015 at 16:46

1 Answer 1

Reset to default
1

This crafted query allows you to distinguish which fields resulting from the original query are actually displayed on the page.

At a latter step, you will indeed replace some of these numbers by more specific requests in order to get some information. However you will obviously prefer that this information will be displayed by the vulnerable app and not consumed in some internal treatment.

If you know that the first column value is not displayed, but the value contained in the second and third one are, you can proceed by using these second and third column to collect some information regarding, for instance, the database structure.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.