SQL Injection · Vulnerabilities

UNION-Based SQL Injection

admin

The “UNION” keyword is used in SQL statements in a sort of SQL injection attack known as union-based SQL injection. By inserting malicious SQL code into an application’s input field, which is then processed by the application’s database, this attack aims to alter the behaviour of a SQL query.

In SQL queries, the “UNION” term is frequently used to group the outcomes of various SELECT statements into a single result set. By inserting a specially constructed SQL statement into the application’s input field that places a UNION statement in the middle of the query, the attacker takes advantage of this.

below is the screenshot of the Home page that I have made to demonstrate the UNION-based sql injection

There are a total of five categories used to filter the information below, as shown in the menu bar. from the table internship_student

We are now taking advantage of it.

therefore, to use it Click on any of the five options to view the URL in order to check how it is interacting with the database in the backend, such as the HTTP request method it is employing. If it’s using the GET method, the URL should look something like “/filter?category=VAPT.” Otherwise, it uses the POST method, but we can verify it by catching the request in the burpsuite. 

Take a look at the screenshot below, where I’ve clicked on VAPT, which is using a GET Request.

If a POST request is being used, it is not visible in the URL.

Now We are Exploiting it So let’s see how it is executing it in the backend.

Let’s try to predict what the above screen shot indicates.

  • There should be five different interest categories, including VAPT, digital forensics, database forensics, etc.
  • It is choosing roughly 3 to 5 columns.
  • The majority of the columns are of the string type.

We can now take the following actions in order to exploit it.

  1. Find a malicious request we can use to our advantage.
  2. Look for the Payload that we can exploit.
  3. Determine how many columns it is returning.
  4. Discover the column datatypes that are being returned.
  5. Identify the backend database that is being used.
  6. Discover the table list in the backend.
  7. Look for tables’ columns that appear to contain credentials.
  8. To obtain sensitive data, choose those columns appropriately and execute the exploit.

Let’s carry out that on the website I created.

Step_1(Find a malicious request we can use to our advantage.)

The website redirects us to the home page after we successfully log in. Choose one of the five categories of filters to start browsing through the content. VAPT, Database Forensics, Digital Forensics, Email Forensics, and Log Analysis are a few examples of these categories. From there, by examining the url, we can confirm that it is making use of the GET Request.

The method being used, such as GET, POST, HEAD, or PUT, can be checked using Burpsuite. GET or POST Methods should be used the majority of the time.

Step_2(Look for the Payload that we can exploit.)

Therefore, we must attach the payload in a way that it is executed without error in order to find the appropriate payloads to use to exploit it. To accomplish this, we can experiment with different payloads; additionally, you can find a list of payloads online, which will assist you in identifying the payload that work for your query.

Let’s make use of the website I created.

I am entering the following payload.

VAPT' OR 1=1-- -

As we can see in the screenshot below, it was exploited using the payload mentioned above, and even though we are looking for VAPT, it is displaying all of the content in the table.

Therefore, we are currently using the UNION keyword to exploit this vulnerability in order to extract useful data from the other tables.

Step_3(Determine how many columns it is returning.)

There are two methods for determining the number of columns.

1st

UNION SELECT NULL, NULL, NULL-- -

2nd

ORDER BY 1-- -

So, for now, we are using the first method.

In order to find the number of columns, we are executing the following payloads one after the other until the error is fixed.

1. VAPT’ OR 1=1 UNION SELECT NULL-- -

2. VAPT’ OR 1=1 UNION SELECT NULL, NULL-- -

3. VAPT’ OR 1=1 UNION SELECT NULL, NULL, NULL-- -

Because NULL can be used with any type of data type, we can use it to add NULL and increase the number of columns.

beginning with the Payload, which has a single NULL character, as shown in the screenshot below, which indicates that it is returning an error.

We are now adding the NULL. Further, the aforementioned query will still return an error because the number of columns in the output does not match the number of columns in our payload.

I am currently running a query that successfully executes our payload.

VAPT' or 1=1 union select NULL, NULL, NULL, NULL, NULL-- -

And Screenshot is provided below

As we can see, there are no errors, and we have added five NULLs, so we can conclude that the database is returning five columns.

NULL stands for nothing. Consequently, the screenshot shows an empty box, as can be seen in above screenshot. 

Step_4(Discover the column datatypes that are being returned.)

Therefore, in this step, we will determine the Datatype of the columns that the query is returning.

As a result, we can infer from the screenshot above that four of the columns are made up of strings and one is an image.

I am currently running a query that successfully executes our payload.

VAPT' or 1=1 union select NULL, “string2”, “string3”, “string4”, “string5”-- -

Adapted based on our prediction, then put into action

Additionally, we can deduce from the above screenshot that it is returning the results of the union query payload that we entered, indicating that all of the data types were correctly predicted.

So now that we have predicted the datatype, we are beginning to enumerate the database.

Step_5(Identify the backend database that is being used.)

There are many different types of databases available. Depending on the particular database management system (DBMS) being used, the commands used to determine the version of a database in use may differ.

The command to find versions for some database types is listed below.

Use the "SELECT VERSION()" command in MySQL.
Use the "SELECT * FROM v$version" command in MySQL.
Use the "SELECT @@VERSION" command in MySQL.
Use the "SELECT version()" command in MySQL.
Use the "db.version()" command in MySQL.
Use the "SELECT VERSION()" command in MySQL.
Use the "SELECT sqlite_version()" command in MySQL.

Note that there may be different variations of these commands depending on the specific version of the DBMS being used. It’s always a good idea to consult the documentation for your particular database management system to find the most accurate and up-to-date command for checking the version.

Therefore, we are now entering those commands one at a time into our Payload.

therefore, the first payload for sqlite will be

VAPT' or 1=1 union select NULL, "string2", sqlite_version(), "string4", "string5"-- -

Sqlite is not used here because, as the above screenshot demonstrates, it is returning an error.

Consequently, the Payload for the MySQL Database is

VAPT' or 1=1 union select NULL, "string2", version(), "string4", "string5"-- -

Now that our payload has been successfully executed, it has given us a version of a MySQL or MariaDB version.

Therefore, going forward, any commands that are run will be based on the Mysql database.

step_6(Discover the table list in the backend.)

In this step, we will discover a list of tables, and from that list, we will discover a table that contains all users. Login information

Now that we are aware that the database type we are using is MariaDB 10.4.27-MariaDB, we can proceed to conduct some online research.

So what exactly are we looking for?

  • Name of the default table, which includes information about each table
  • Name of the default table, which includes information about each column
  • Column names by default for both tables

Consequently, both of the table’s details are available on their official website.

Here is the link of both

https://mariadb.com/kb/en/information-schema-tables-table/

https://mariadb.com/kb/en/information-schema-columns-table/

We are aware that information_schema.tables because of the aforementioned. tables is a table that holds information about other tables, and one of its columns, the table_name, contains the table names.

Therefore, we are currently developing the Payload that will show a list of all the tables.

VAPT' OR 1=1 UNION SELECT NULL, NULL , NULL ,NULL,table_name FROM information_schema.tables -- -

What Does the Payload Above?

  • It chooses the column table_name. From the table information_schema.tables, all the values are then added to the query we are using, placing them all in the fifth column using UNION.

You can see that I am executing the payload I created in the screenshot above.

We can see that it is showing a list of every table in the database in the screen shot up top.

Now that the tables have names like users, employees, students, etc., we can search for their common names. Depending on the application, the table name might be “students” if it’s for students, “users” if it’s for general users, etc.

Let’s look for “users”
If there is any users table exist in the databsse, type crtl+F and search ‘users’ to find them.

So now that you can see that we located the table with the name “users” in the screenshot above, let’s see what columns it has.

step_7(Look for tables’ columns that appear to contain credentials.)

As a result, we can infer from the previous step that the “users” table contains the users’ credentials.

We will now discover the table’s list of columns.

The two columns in “information schema.columns” are “column name” and “table name,” as can be inferred from the discussion above. Therefore, we are showing the rows where “table_name = users” is currently listed from those.

The Payload is listed below.

VAPT' OR 1=1 UNION SELECT NULL,NULL,NULL,NULL,column_name FROM information_schema.columns WHERE table_name = 'users' -- -

You can see that I added the payload to the category filter in the screenshot up top.

As a result, after execution, we can see in the screenshot above that the “users” table’s list of columns is being displayed.

  • User_name
  • password

We now have a list of columns (user name and password), and we will find user credentials for Login using these two columns.

Let’s look for that.

step_8(To obtain sensitive data, choose those columns appropriately and execute the exploit.)

So far, we have information such as table_name and column_name. Currently showing those columns’ data.

Make the payload now.

VAPT' OR 1=1 UNION SELECT NULL,NULL,NULL,user_name, password FROM users -- -

You can also see that in the url category filter as we are currently executing it.

Therefore, as you can see in the screenshot above, the “users” table’s login credentials are all displayed.

Now that we have finished the UNION-based sql Injection Exploit and have all the “users”‘ login information—of which one is the admin—we can access the “admin” account.

Attempting to log into the admin account.

As we can see from the screenshot above, we have successfully exploited the admin account and are able to make any changes.

I’m hoping this tutorial will help you learn something.

Thank You,

Krutagn Patel

Leave a Reply

Your email address will not be published. Required fields are marked *