Start course

This course focuses on SQL vulnerabilities which are some of the most common and dangerous vulnerabilities that you will come across when you carry out web pentesting or bug bounty hunting. We'll start by covering the fundamentals of SQL and how a database is created using it. You'll also learn about SQL comments to insert values, get their values back or change them, delete them, or edit them.


Hi, within this lecture we're going to see the details of this UNION SELECT that we have seen in the previous lecture. As I said before left side and the right side of the UNION  SELECT should have the same column number and in this case we don't have it. So, in test2 we have four columns and in test we have three columns, and maybe we don't even know how many columns do we have in here?

So, what we can do for that is to test and see. So, rather than selecting everything from test or rather than selecting everything from test2, we can test and see if they have four columns or three columns, or two columns. So, let's see how it's done. So, rather than *, I'm just going to delete the * and I will try to get the column names or column numbers. So, you can just say SELECT 1 and it will try to select only one column from here and you can just go on and on like this with commas. So, SELECT 1, 1 or SELECT 1, 2 like that. So, again it says that they do not have the same number. So, we still do not have the same number. So, if I do this, I do not have the same number over here as well and let's do four and see what happens. Right now we managed to get some data back in here so, as you can see on the left-hand side we already had the four columns, so they're showing up. So, the Atil, James, and Lars are FROM test2 on the below, you can see it and 1, 2, 3, 4 is FROM test. So, what we did in this case is to understand how many columns do we have in test2. So, we understood that there are four columns.

So, how can we get the values of the columns inside of the test, right now as you can see we can only see these 1, 2, 3, 4 things. But we don't get the exact data from the test right? We only get it from the test2. So, if I really want to get the data inside of the test then I should know the name of the columns that I'm searching for. For example if I delete some of the numbers and if I specify a column name rather than these numbers, then I should get the values from the test table as well. But how do we know the column names?

In this case we don't know the column names. Actually we know the column names. I can just delete the right name but in a real life pentesting, then we wouldn't know the column names. There are two ways to go for that. We can just guess it like Id, Name, Surname, whatever you might think of password, credit card numbers, we can try to guess it or we can try to hack into it and see what happens if we have a vulnerability in that as well in those areas as well, then we would know the column names.

We're going to see how it's done in the upcoming sections but right now I'm just trying to guess it like Id. So many of the SQL tables will have the Id column and as you can see when I typed Id, now I see the Id numbers over here. So, it's not very explicit right now because Ids are also numbers, but in the second column we don't see anything because it's 2 and you see four 2s over here. Let's try username for example and it says that there's no column like username. So, maybe we can just go back and just try for email and it will say no column email.

So, maybe we can try name and here you go, we get the names. So, this is the names from the test table as you can see. And the funny thing over here, it doesn't matter where we write the name, so I can just put it over there and name will be displayed under the fourth column which has the label of age right now but even though it has the label of age, it's showing the name. So that's important, you shouldn't forget that. It doesn't matter what we see over here, it's showing the first UNION, left side of the UNION here, so test2 has the label of age in their column. But in this case, since we have specified name in the fourth column then we are getting the numbers or the records for the name column in the test table.

So, it's a little bit confusing especially if you're the first time seeing the SQL queries and SQL comments. But believe me, when we practice this you will understand what's going on. But it's essential that you know this stuff before we go into that so that when it happens, when we hack into some database then you're going to say, "Yeah, that was it. Because we have already learned it, now I understand it." So, again as you can see if I put age over here on their surname, it will be displayed even though it's not surname, it will be displayed in the third column because I specified it to be so. And again we don't always have to guess it, maybe if there's some vulnerability we can get the column names from the database as well. We're going to see how it's done in the upcoming sections. Now w are done with SQL 101, then we will move on to web pentesting in the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.