This article is the sequel of Port Swigger Web Security Academy, you can find previous article here.
And this time we will take a deep look about
UNION attacks, let’s start.
When we could get responses of query,
UNION can be used to retrieve more data from other tables. For example:
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
And there are two requirements must be met:
- Two query must return the same number of columns.
- Two query must have compatible data types in each column.
There are two methods to reach it:
UNION SELECT NULL
Because we can put column name or column order after
ORDER BY, so we can try below SQL:
' ORDER BY 1--
If there is no error, we know the column number of the first query is at least 1. And we can try:
' ORDER BY 2--
Until we get some error such as:
The ORDER BY position number 3 is out of range of the number of items in the select list.
Than we know the number of first query is 2.
Because we can directly
SELECT value by
UNION, we can try:
' UNION SELECT NULL--
NULL? Because we mentioned that
Two query must have compatible data types in each column.before, and
NULLis compatible with any type of data.
And if your number of
NULL is not same with the first query’s column number, you will probably get some error like:
All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.
So keep trying until there is no error!
After we get the number, we can continue to determine the type of columns. Thus, we can use those columns to hold our interested data. For example:
' UNION SELECT 'a',NULL,NULL --
If you get error like:
Conversion failed when converting the varchar value 'a' to data type int.
Switch position of string to find out which column is string type. Or you can use integer or other type to instead it.
We can concatenate the values together to show multiple values in one column, for example in Oracle:
' UNION SELECT username || '~' || password FROM users--