Thanks to google dorks I found some websites coded in PHP which are vulnerable to SQL Injection. On 1 website I was able to fetch the database name, column names etc... from the database server. I want to exactly understand what I'm doing so I have a question about a query I used to fetch the database name:

In a first step I tried to track down the total amount of rows with the following query:

http://vuln_site.com/index.php?id=-1 order by 1
http://vuln_site.com/index.php?id=-1 order by 2
http://vuln_site.com/index.php?id=-1 order by 3
...
http://vuln_site.com/index.php?id=-1 order by 10

A SQL error was shown when i ran the query with 'order by 10'

This means there are 9 rows in the table which is clear to me. I the next step I used the query below to track down the database name and this was also successfully.

http://vuln_site.com/index.php?id=-1 union select 1,database(),3,4,5,6,7,8,9

The database name was shown. However, i have a question about this query because I don't understand it completely. Why is the database() object placed in row 2 in the select query from above? As you can see the digit 2 is replaced with database() and when executing this the database name shows up.

Thanks in advance!

https://portswigger.net/web-security/sql-injection/union-attacks

Under 'Finding columns with a useful data type in an SQL injection UNION attack'

(October 23, 2022, 04:01 PM)opulent_accomplice Wrote: https://portswigger.net/web-security/sql-injection/union-attacks

Under 'Finding columns with a useful data type in an SQL injection UNION attack'

Thanks, really useful

(October 23, 2022, 04:01 PM)opulent_accomplice Wrote: https://portswigger.net/web-security/sql-injection/union-attacks

Under 'Finding columns with a useful data type in an SQL injection UNION attack'

thanks for that