Union Based Attacks
Introduction
Union-Based SQL Injection is a type of SQL injection attack that leverages the SQL UNION operator to combine the results of two or more SELECT queries into a single result set. This method can be used by attackers to extract data from a database by adding their own queries to the original query, which the application executes.
Table of Contents
How to identify
To identify Union-Based SQL Injection vulnerabilities, look for inputs that are used directly in SQL queries without proper sanitization. Typical indicators include:
Unexpected Behavior: When inputting SQL syntax (like single quotes, double quotes, or UNION SELECT statements) causes unusual behavior in the application.
Manual Testing: Try injecting
UNION SELECT NULL
and incrementally increase the number ofNULL
values until the number of columns matches the original query.
http://somewebsite.com/products.php?id=1 UNION SELECT NULL,NULL
Sometimes you might be given the source code of the website with php in it. Here is an example of a vulnerable PHP code snippet:
<?php
$id = $_GET['id'];
$query = "SELECT name, price FROM products WHERE id = '$id'";
$result = mysqli_query($conn, $query);
?>
Code/tools/websites
Code Snippets
The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
We can use this to add additional queries to the one sent from the website.
Tools
SQLMap: An automated tool for SQL injection and database takeover.
Burp Suite: A web vulnerability scanner with tools for manual testing.
Havij: An automated SQL injection tool.
Websites
https://ctflearn.com/challenge/149 (Hard)
Sample problem
Problem Statement
You are given access to a web application with a products category filter feature. The task is to identify if the application is vulnerable to Union-Based SQL Injection and extract all usernames and passwords in the database.
Solution
References
Conclusion
Union-Based SQL Injection is a powerful technique for extracting data from vulnerable applications. Identifying such vulnerabilities requires understanding the behavior of SQL queries and using appropriate tools and manual testing methods. By practicing with tools like SQLMap and platforms like PortSwigger Web Security Academy, you can enhance your skills in exploiting and securing web applications against SQL injection attacks.
Last updated