SQL injection Union attack: Determining the number of columns required in an SQL injection UNION attack
Hey, there fellow hackers. This post will be about using SQL injection UNION attacks and using it to determine the number of columns in an application’s database. (Web Security Academy — SQL injection).
What is an SQL injection Union attack?
It occurs when an application is weak and susceptible to SQL injection and as a result when the application returns with a response after a request, the UNION keyword is used to access information from other tables in the database of the application.
How does it work?
The UNION operator function is to combine the results of two or more SELECT statements. The injection then works by then adding an additional SELECT statement to the original one.
Keep in mind for a successful attack two things are needed:
- The same amount of columns in the original query and injected query.
- The data type is of the same type as the original query and injected query.
Now, let’s take a look at how to determine the number of columns required in an SQL injection UNION attack.
There are two methods to determine the number of columns that would be returned from the original query.
The first one is by injecting ORDER BY clauses and incrementing the column index until there is an error.
This can be achieved by
’ORDER BY 1 — -
(’ORDER BY 2 — — )
If the SQL injection is occurring within a quoted string within the WHERE clause of the original query. An error would occur when the specified column index exceeds the original query’s total number of columns which would now cause you the attacker to know how many columns exist in the original query.
The error messages however can be presented in various formats therefore you have to be observant of the varying responses that the query present. 💯
This involves submitting numerous UNION SELECT payloads having a different number of null values.
‘ UNION SELECT NULL- -
‘ UNION SELECT NULL NULL- -
If the number of nulls does not match the number of columns, the database returns an error.
Alrighty, I hope I have been clear so far. I will now attempt what I learned in the following lab.
For this lab, I will be using Burp Suite Community Edition software along with the second method (‘ UNION select NULL- -) mentioned above to determine how many columns are in the Corporate Gifts product category.
In the lab choose the category Corporate gifts and turn on Foxy Proxy (Google Chrome extension that works with Burp Suite)
In Burp Suite
Firstly select Proxy→ Intercept is on
Refresh the lab page.
Right-click in the Proxy window in Burp Suite and choose to Send to Repeater.
In the Repeater window
Inject the SQL: ‘ UNION SELECT NULL — — after the category type
As you can see in the response window an error message is seen ‘500 Internal Error’ this means that there is more than one column. We have to keep adding NULL (+UNION+SELECT+NULL,+ NULL — — ) and send until we are no longer seeing an error message in the first line.
We now know the number of columns by performing a SQL injection UNION attack using method 2 on the Corporate Gifts category, the total columns are 3!
With method 1 we know an error occurs when the column is exceeded. So with the SQL injection: ‘+ORDER+BY+1’ The result is as below proving there is more than 1 column.
The results below of method 1 show an error therefore the total of the column has been exceeded at 4 columns. The product category filter of Corporate gifts has 3 columns.
I hope you learned something today! Writing this blog solidified what I learned. Follow me for more cyber security content.