Use these techniques only on systems you own or have explicit permission to test. Practicing on intentionally vulnerable platforms (like Security Shepherd) is appropriate; attempting unauthorized exploitation on production systems is illegal and unethical.
If you want, I can:
The paper you're referring to is likely a write-up or solution guide for SQL Injection Challenge 5 from the OWASP Security Shepherd project.
Security Shepherd is a web app security training platform, and Challenge 5 typically focuses on advanced blind SQL injection or bypassing filters (e.g., stripping spaces, comments, or certain keywords).
Challenge 5 is notorious for implementing naïve blacklist filtering. You may encounter blocks on:
Example filtered bypass:
1%00%20AND%201=2%00%20UNION%00%20SELECT%00%201,group_concat(username),3%00%20FROM%00%20users Sql Injection Challenge 5 Security Shepherd
The UNION operator combines the result sets of two or more SELECT statements. To use it, two conditions must be met:
We need to:
Alternative comment syntax in SQL:
Observing that -- is not filtered in this challenge, but OR/AND are. We need a tautology without those words.
Technique: Use || (string concatenation) or = with arithmetic. Use these techniques only on systems you own
To perform a UNION SELECT, your injected query must have the same number of columns as the original query. We need to find this number.
Try injecting the following payloads to test for column count using the ORDER BY technique:
Payload 1:
' ORDER BY 1--
(If no error, there is at least 1 column)
Payload 2:
' ORDER BY 2--
(If no error, there are at least 2 columns)
Payload 3:
' ORDER BY 3--
(If no error, there are at least 3 columns) The paper you're referring to is likely a
Payload 4:
' ORDER BY 4--
If the application returns an error (or a blank page) at ORDER BY 4, but worked for ORDER BY 3, then the original query has 3 columns.
If you are using this article for defensive training, here is how to prevent Challenge 5 from existing in your own code:
To prevent this injection: