Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #57340
    Avatarglosnick
    Participant

    I’m a little confused but I’m not quite sure why I’m confused and I was hoping you would clarify the situation for me please.

    Could you clarify what the statement union select 1,2,3,4,5 actually does as I’m a little confused and why it produces the results it does.

    When I go to the metasploitable VM and type the command select 1 from accounts when I’m in the accounts table of the owasp10 database on mysql I get a list of 1’s. So what when Zaid uses union select 1,2,3,4,5 does he get the user information and then an additional record which uses 2,3,4 and what happens to 5?

    I’d really appreciate a little clarity.

    Regards

    Nick

    #57342
    diegodiego
    Moderator

    Hi!

    No, those 1,2,3,4,5 are just the columns needed for the query to be valid, some of them are being printed on screen and some of them aren’t. This has been explained by Zaid in the lectures, maybe watch them again.

    I know that sql can be a bit confusing in the beginning so look for information in internet, here’s an example:
    https://portswigger.net/web-security/sql-injection

    Greetings!
    Diego

    #57368
    Avatarglosnick
    Participant

    Thanks for getting back to me. I did watch the lectures again and I don’t think he fully explains why he uses 1,2,3,4,5. I understand that he uses order by to determine the number of columns in the database. So if I understand correctly it doesn’t really matter what Zaid uses in the query. So he could use A,B,C,D and E for example and would it still work? So the results displayed on the screen is the server attempting to execute our query even though 1,2,3,4,5 do not relate to the column headings, again is that correct? I’m really sorry to be a nuisance and I really do appreciate your patience with this novice ethical hacker.

    Again my thanks and regards

    Nick

    #57371
    Avatarglosnick
    Participant

    I also wondered how Zaid or people figured these kinds of things out. Is it just trial and error? Injecting union select 1,2,3,4,5 seems almost non-sensical. How do you come up with such things?

    Regards

    Nick

    #57377
    diegodiego
    Moderator

    Hi!

    Basically if you know SQL syntax (like being a web developer) then the queries have a lot of sense, it’s not like “let’s see what happens if I add UNION here”, this injections are based on knowledge. Getting the correct number of columns is guessing indeed.
    And it also depends on how the web application works, but yeah, basically you can use a,b,c,d,e instead. And as mentioned in the lecture we are adding our code to the original query by the web application, that’s why the UNION statement is used, to join both queries.

    Greetings!
    Diego

    #57382
    Avatarglosnick
    Participant

    Thank you so much for your patience and taking the time to explain it further to me. One day, I live in the fear that I might understand all of this but not today. Although I do understand a little more. I understand now why Zaid chose to add the union command. But what would have made him decide to use select 1,2,3,4,5. I understand that using the order by statement he could determine the number of columns in the table. But the column headings much have been unknown at that point. So why choose select 1,2,3,4,5. Is it just a knowledge of SQL which I don’t have at present or something else?

    Thanks again and regards

    Nick

    #57399
    diegodiego
    Moderator

    Hi!
    As mentioned you can use a,b,c,d,e or whatever you want. Using numbers is just easier.

    Greetings!
    Diego

    #57443
    Avatarglosnick
    Participant

    Thanks for the response.

    Regards

    Nick

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.