Union-based SQLi is basically just abusing the SQL UNION keyword.
To determine the number of columns in a table you’ll need to use a sequence of UNION clauses until you run into and error.
' UNION SELECT NULL --' UNION SELECT NULL, NULL --' UNION SELECT NULL, NULL, NULL --- …and so on until there’s an error…
A similar approach can be used to detect column types.
' UNION SELECT 'a', NULL, NULL --' UNION SELECT NULL, 'a', NULL --' UNION SELECT NULL, NULL, 'a' --- …and so on…
The generalization to other data types is straight-forward.
Useful MySQL keywords:
database()user()andcurrent_user()version()or@@version
The GROUP_CONCAT() function can be useful here: It concatenates fields (and arbitrary strings) in a row, and then further groups rows separated by commas (or by a string specified using SEPARATOR). CONCAT() also works for this (use 0x3a to insert : characters as separators).
It’s worth checking out the Jurassic Park CTF for an example of how to use union-based SQLi (it’s a little hard to summarize).