- This topic has 7 replies, 2 voices, and was last updated 3 years, 2 months ago by glosnick.
- AuthorPosts
- August 4, 2021 at 5:27 pm #57340glosnickParticipant
I’m a little confused but I’m not quite sure why I’m confused and I was hoping you would clarify the situation for me please.
Could you clarify what the statement union select 1,2,3,4,5 actually does as I’m a little confused and why it produces the results it does.
When I go to the metasploitable VM and type the command select 1 from accounts when I’m in the accounts table of the owasp10 database on mysql I get a list of 1’s. So what when Zaid uses union select 1,2,3,4,5 does he get the user information and then an additional record which uses 2,3,4 and what happens to 5?
I’d really appreciate a little clarity.
Regards
Nick
August 4, 2021 at 5:47 pm #57342Diego PérezModeratorHi!
No, those 1,2,3,4,5 are just the columns needed for the query to be valid, some of them are being printed on screen and some of them aren’t. This has been explained by Zaid in the lectures, maybe watch them again.
I know that sql can be a bit confusing in the beginning so look for information in internet, here’s an example:
https://portswigger.net/web-security/sql-injectionGreetings!
DiegoAugust 5, 2021 at 11:04 am #57368glosnickParticipantThanks for getting back to me. I did watch the lectures again and I don’t think he fully explains why he uses 1,2,3,4,5. I understand that he uses order by to determine the number of columns in the database. So if I understand correctly it doesn’t really matter what Zaid uses in the query. So he could use A,B,C,D and E for example and would it still work? So the results displayed on the screen is the server attempting to execute our query even though 1,2,3,4,5 do not relate to the column headings, again is that correct? I’m really sorry to be a nuisance and I really do appreciate your patience with this novice ethical hacker.
Again my thanks and regards
Nick
August 5, 2021 at 11:34 am #57371glosnickParticipantI also wondered how Zaid or people figured these kinds of things out. Is it just trial and error? Injecting union select 1,2,3,4,5 seems almost non-sensical. How do you come up with such things?
Regards
Nick
August 5, 2021 at 5:20 pm #57377Diego PérezModeratorHi!
Basically if you know SQL syntax (like being a web developer) then the queries have a lot of sense, it’s not like “let’s see what happens if I add UNION here”, this injections are based on knowledge. Getting the correct number of columns is guessing indeed.
And it also depends on how the web application works, but yeah, basically you can use a,b,c,d,e instead. And as mentioned in the lecture we are adding our code to the original query by the web application, that’s why the UNION statement is used, to join both queries.Greetings!
DiegoAugust 6, 2021 at 10:41 am #57382glosnickParticipantThank you so much for your patience and taking the time to explain it further to me. One day, I live in the fear that I might understand all of this but not today. Although I do understand a little more. I understand now why Zaid chose to add the union command. But what would have made him decide to use select 1,2,3,4,5. I understand that using the order by statement he could determine the number of columns in the table. But the column headings much have been unknown at that point. So why choose select 1,2,3,4,5. Is it just a knowledge of SQL which I don’t have at present or something else?
Thanks again and regards
Nick
August 6, 2021 at 5:46 pm #57399Diego PérezModeratorHi!
As mentioned you can use a,b,c,d,e or whatever you want. Using numbers is just easier.Greetings!
DiegoAugust 9, 2021 at 10:43 am #57443glosnickParticipantThanks for the response.
Regards
Nick
- AuthorPosts
- You must be logged in to reply to this topic.