, where you can retrieve data from different database tables.

application responds with some kind of table or a bunch of results, there a UNION attack can be done, to retrieve data from other tables within the database.

UNION keyword can be added in the query and appended to the results to the original query, a extra field

eg: an application, has a category Gifts, we selected that filter. in the db it would go like

SELECT name, description FROM products WHERE category = 'Gifts'

attacker can do, ' UNION SELECT username, password FROM users-- this will make all the name and description fields come but also username, password fields also

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

For these kind of attacks to work, need to find these things first

  1. matching column numbers → How many columns are being returned from the original query
  2. compatible data types → Which columns returned from the original query are of a suitable data type to hold the results from the injected query

Determining the number of columns required

2 ways to determine how many columns are being returned

  1. ORDER BY

    1. injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs.

    2. keep sending queries like this and increment the number until an error comes, that will be the number of columns thats being returned

      ' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
etc

  2. UNION SELECT

    1. submitting a series of UNION SELECT payloads specifying a different number of null values:
    ' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
etc.

    till error comes

    Null is used because, the data type must be same in original and injected column and null is convertible to every common data type.

    When the number of nulls matches the number of columns, the database returns an additional row in the result set, containing null values in each column.

Database Specific Syntax

Oracle

In Oracle, every SELECT query must use the FROM keyword and specify a valid table. there’s a built-in table called dual which can be used. So injected query could become ' UNION SELECT NULL FROM DUAL--

Any payload that has, double-dash comment sequence -- comments out the remainder of the original query.

MySQL

comment → -- OR # (double-dash sequence then space or hash)

A UNION attack is to get results from other tables. The interesting data that’s retrieved is normally in string form. So that means, the table/results that’s already being shown, the original query should have atleast one or more columns thats in string form or compatible with it.

After the recon try of finding the required columns, each column can then be tested if it can hold string data.

' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--

like this, lets say if it allowed 4 NULL statements in it, then each NULL can be tested by passing arbitrary data. If it passes then that means, that column can hold string data, or else that particular NULL place will show error.

After the number of columns it can return has been determined, and which columns can hold string data has also been found, then we can try to retrieve interesting data

suppose, query can return 2 columns and both of them strings. The injection point within it is a quoted string within the WHERE clause. a query can be formed. ' UNION SELECT username, password FROM users--

need to know that there’s a table with 2 columns called username and password, without this, have to do guess work. OR modern db provide a way to examine db structure, tables, columns.

Examining Database

Sometimes, the query might only return a single column. In that case, to get values from multiple columns. String Concatenation can be done.

Different db’s have different string concatenation operators