sql injection "union select null"

Question

0.00/5 (No votes)

See more:

hello

UNION SELECT NULL, NULL,
NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.TABLES

for a small database containing three tables

this instruction is used in sql injection I tried it and it worked
but I didn't really know how it works
can somebody help me
thanks all

Posted 13-Aug-12 4:14am

Khaldoon Al-Talib

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

ridoy · Answer 1 · 2012-08-13T04:50:00

Solution 1

Do you google it? It simply collects null values(row-wise) combining the tables of a database.See more..
http://www.evilsql.com/main/page3.php[^]

Posted 13-Aug-12 4:50am

ridoy

Comments

Khaldoon Al-Talib 13-Aug-12 11:00am

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
what does that mean

Bernhard Hiller · Answer 2 · 2012-08-14T22:49:00

Ridoy pointed to a page showing an example of such an attack. But the example could be a little cryotic for someone who does not understand the background.
The hacker starts with adding a " UNION SELECT ALL 1--". When you do a UNION query, both SELECT statements of the query must have the same number of columns.
That is, the hacker expects a query like

SQL

SELECT some columns
FROM ATable
WHERE AColumn=

and then the value from the query string is just appended. Hence that would result in

SQL

SELECT some columns
FROM ATable
WHERE AColumn=1 UNION SELECT ALL 1--

The query causes the error message you show in your comment to Ridoy's answer when the original query selects more than one column. Then the hacker adds more "columns" to his UNION statement, until no error is shown: then he knowsthe number of columns selected.
You may test your SQL injection skills with a page discussed in the Hall of Shame: Alcatraz ~ the tourist website[^]. They seem to have many columns, so the SQL error attack shown on another page of Evil SQL is more productive.