SQL Injection/UNION Attack: Difference between revisions
From charlesreid1
(Created page with "This page covers UNION attacks, a type of SQL Injection attack. =Overview= A UNION attack is a type of SQL Injection attack that exploits the ability to run SQL code...") |
No edit summary |
||
| Line 1: | Line 1: | ||
This page covers UNION attacks, a type of [[SQL Injection]] attack. | This page covers UNION attacks, a type of [[SQL Injection]] attack. | ||
For coverage of how to carry out this type of attack with [[Burpsuite]], see [[Burpsuite/SQL Injection#UNION Attacks]] | |||
=Overview= | =Overview= | ||
Revision as of 18:23, 10 March 2022
This page covers UNION attacks, a type of SQL Injection attack.
For coverage of how to carry out this type of attack with Burpsuite, see Burpsuite/SQL Injection#UNION Attacks
Overview
A UNION attack is a type of SQL Injection attack that exploits the ability to run SQL code on a remote server by running cross-table queries to fetch (for example) username/password data from a product page.
Example
Suppose a web application allows a user to list products by category, and uses the user-provided "category" field to run the following SQL query:
SELECT name, description FROM products WHERE category = 'Gifts'
Now, if the attacker can pass this as a category:
' UNION SELECT username, password FROM users--
and the user input is not sanitized, the query will return all usernames and passwords along with product listings.
References
Burp suite: https://portswigger.net/web-security/sql-injection/union-attacks