SQL Injection/UNION Attack: Difference between revisions
From charlesreid1
| Line 76: | Line 76: | ||
[[Image:SQL Injection UNION Attack Burp 4.png|500px]] | [[Image:SQL Injection UNION Attack Burp 4.png|500px]] | ||
==Determining Column Data Types== | |||
The purpose of an SQL injection UNION attack is to retrieve results from an injected query | |||
Since data of interest is typically in string format, this means you have to find one or more columns that are of type string | |||
=References= | =References= | ||
Burp suite: https://portswigger.net/web-security/sql-injection/union-attacks | Burp suite: https://portswigger.net/web-security/sql-injection/union-attacks | ||
Revision as of 19:20, 10 March 2022
This page covers UNION attacks, a type of SQL Injection attack.
For coverage of how to carry out this type of attack with Burpsuite, see Burpsuite/SQL Injection#UNION Attacks
Overview
A UNION attack is a type of SQL Injection attack that exploits the ability to run SQL code on a remote server by running cross-table queries to fetch (for example) username/password data from a product page, or to extract information about the database schema.
Example: Retrieving Data from Other Tables
Suppose a web application allows a user to list products by category, and uses the user-provided "category" field to run the following SQL query:
SELECT name, description FROM products WHERE category = 'Gifts'
Now, if the attacker can pass this as a category:
' UNION SELECT username, password FROM users--
and the user input is not sanitized, the query will return all usernames and passwords along with product listings.
Practically speaking, you may need to encode the category above by changing something like /filter?category=Gifts to /filter?category='+UNION+SELECT+username,password+FROM+users--
Determining Number of Columns Returned for an Attack
When performing a UNION attack, you may need to know how many columns are returned from the original query.
There are two ways to do it.
The first way is to submit a series of ORDER BY clauses (order by field 1, order by field 2, etc), increment which field/column index until you get an error:
' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- ...
Once the field/column index is too big, the application will return an error. The SQL error may be shown, or may return an error code, or may return no results.
The second way is to submit a series of UNION SELECT payloads, specifying a different number of null values:
' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- ...
Same as above - once there are more NULLs than fields, the application will return an error. This method could trigger a different error (null pointer error) than above.
Burp Suite Example
Fire up Burp Suite, switch to the Proxy tab, and open the browser. Log into the Port Swigger training site online.
Here is a simple e-commerce website with a built-in SQL injection vulnerability:
Note the category=xyz, which is the insecure portion of the application - this value is substituted into an SQL query without being sanitized first
We use the UNION SELECT payloads in this case. Trying with 1 or 2 NULL values returns a server error:
But once we try with 3 NULL values, the server successfully renders the page
Determining Column Data Types
The purpose of an SQL injection UNION attack is to retrieve results from an injected query
Since data of interest is typically in string format, this means you have to find one or more columns that are of type string
References
Burp suite: https://portswigger.net/web-security/sql-injection/union-attacks