SQL Injection/UNION Attack

From charlesreid1

Revision as of 18:23, 10 March 2022 by Unknown user (talk)

This page covers UNION attacks, a type of SQL Injection attack.

For coverage of how to carry out this type of attack with Burpsuite, see Burpsuite/SQL Injection#UNION Attacks

Overview

A UNION attack is a type of SQL Injection attack that exploits the ability to run SQL code on a remote server by running cross-table queries to fetch (for example) username/password data from a product page.

Example

Suppose a web application allows a user to list products by category, and uses the user-provided "category" field to run the following SQL query: 

SELECT name, description FROM products WHERE category = 'Gifts'

Now, if the attacker can pass this as a category: 

' UNION SELECT username, password FROM users--

and the user input is not sanitized, the query will return all usernames and passwords along with product listings.


References

Burp suite: https://portswigger.net/web-security/sql-injection/union-attacks

Retrieved from "https://charlesreid1.com/w/index.php?title=SQL_Injection/UNION_Attack&oldid=29290"