Amir Roknifard
Amir is the founder of Academician journal and has reviewed few books in cybersecurity with more than 16 years of professional experience in cybersecurity. Over the years he has focused on cybersecurity services with a broader attitude of threat and vulnerability management, to reform cybersecurity process and procedure, helping boards to identify their risks and transform their cybersecurity practices. He has recently developed a master's degree program, M.Sc. Cybersecurity & Digital Forensics, for a European university.

What does Vulnerable Column mean in UNION SELECT

Let’s say on your server-side code, you have this code:

sql = "select id, title, description from artists where id = " + id

So using this injection:

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3

Would result in SQL statement as below:

select id, title, description from artists where id= -1 union select 1,2,3

If on the client-side (UI), “2” and “3” are displayed in the “title” and “description” fields, then we can say column 2 and column 3 of that table are vulnerable, which means if we put “version()” instead of 2 like below:

select id, title, description from artists where id= -1 union select 1,version(),3

then on the “title” field, instead of “2” we will receive the version value.

So basically, vulnerable columns are those that we have exposure of them on the client-side (UI) and we can see the result of injected code, for example in the above code, the version.

Share