On Oracle databases, every
SELECT statement must specify a table to select
FROM. If your
UNION SELECT attack does not query from a table, you will still need to include the
FROM keyword followed by a valid table name.
There is a built-in table on Oracle called
dual which you can use for this purpose. For example:
UNION SELECT 'abc' FROM dual
For more information, see our SQL injection cheat sheet.