Union Based SQL Injection Attack

Karan Patel
5 min readMar 1, 2021

--

Union-based SQL injection is an IN-band SQL injection technique. When an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in a Union SQL Injection attack or SQL Injection UNION Attack.

This is a website which we want to prevent UNION SQL injection

For a UNION query to work, two things are requirements those are :

  1. The individual queries must return the same number of columns.
  2. The data types in each column must be compatible with the individual queries.

To working on UNION SQL Injection we need to fulfill the above requirements. So for that, we find out :

  1. How many columns are there in the initial DataBase?
  2. What columns from the initial query are of the right data form to contain the inserted query’s results? ( Which mean in simple terms which column is interactable with us, so for injecting our SQL query )

Determining the necessary number of columns.

There are two effective methods for identifying how many columns are returned from the initial question when performing a SQL injection UNION Attack.

The first method entails inserting a number of ORDER BY clauses and incrementing the defined column index until an error occurs:

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
etc.

Modify the category the parameter to add an additional column containing an order by value: ‘+ORDER+BY+3 — and notice the Web site respond right side it is 200 OK that means its work properly .

Intercept in Burp Suite
After modifying Respond of the Website looks like. and check the url

If we will increase the ‘+ORDER+BY+3 — to ‘+ORDER+BY+4— then it Shows the error as shown in the below image. and the Web site responds on right side is which shows 500 on the internal server that means something is wrong.

Result of ‘+ORDER+BY+4 — Modification we get error msg on website
‘+ORDER+BY+4 — respond in burp suite look like

The second method involves submitting a series of UNION SELECT payloads specifying a different number of null values:

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
and so on..

If the number of nulls does not match the number of columns, the database returns some error.

Modify the category the parameter, giving it the value ‘+UNION+SELECT+NULL — . Observe that an error occurs.

Intercept in Burp Suite. Modify ‘+UNION+SELECT+NULL —

In the above image Web site response right side is its show 500 Internal Server Errror that means just because the columns don't match with database columns.

When the number of nulls matches the number of columns, the database returns an additional row in the result set, containing null values in each column. increasing the NULL value ‘+UNION+SELECT+NULL ,NULL— . we get the same error for 2nd column.

So we increasing the NULL value from 2 to 3.

‘+UNION+SELECT+NULL,NULL,NUL--

The output is shown below;

Intercept in Burp Suite and modify the credentials to ‘+UNION+SELECT+NULL,NULL,NULL —
Result of ‘+UNION+SELECT+NULL,NULL,NULL — credentials you can here in the last row is added in data

So now we can say that there are 3 columns in the database.

Now we need to Find out columns which is a useful data type in an SQL injection.

The reason for performing an SQL injection UNION attack is to be able to retrieve the results from an injected query. In general, the interesting data that you want to retrieve will be in string form so you need to find one or more columns in the original query results whose data type is, or is compatible with, string data.

We already determined the number of required columns, you can probe each column to test whether it can hold string data by submitting a series of UNION SELECT payloads that place a string value into each column in turn. For example:

‘ UNION SELECT ‘a’,NULL,NULL —

Try replacing each null with the random strings, for example:

Here we modify the URL in the Burp Suite modify URL .

In the above image, you can see the response from the server is 500 Internal Server Error which means we cant interact with this column.So we move on to the next null and try that instead.

So we move on to the next column
after modifying the‘+UNION+SELECT+’abcdef’,NULL,NULL — to ‘+UNION+SELECT+NULL,’abcdef’,NULL — you can see here string ‘abcdef’ is add in a new row on the website

You can see in the above image the server response is 200 OK. that means we can interact with the 2nd column. and we successfully retrieve the string at the website.

That means we can inject our query in the 2nd column.

So Now we can able to find version no. of the database, database name and other credentials of user or admin like username, password, email eddress.

For retrieving user name and password we need to modify our query:

‘ UNION SELECT username, password FROM users--

For example

this is our target

Step 1. Determining the number of columns returned

Step 2. Finding a column containing text. In this example, no. of columns is two as shown below

Step3. Retrieving data from other tables or columns using this query

‘+UNION+SELECT+username,+password+FROM+users--

As shown in the image, we modify the query and we get a server response 200 OK. that means we successfully retrieve the username and password

The username and password its show below the image

Now just login to check whether we can log in or not.

Thank You. Happy Hacking…

Social Media links:

Linkedin: Karan Patel

--

--