Types Of SQL Injection Attacks - Union Based Attacks
Hello all,
Here is another post on SQL Injection attacks. This week, we'll be taking a look at Union Based SQL injection attacks. Union based injection attacks allow the attacker to extract data out of the system.
Let's consider the following address again:
http://www.site.com/table?column=x
Union based attacks go along with error based attacks. Errors inform the attacker on which columns and tables exist in the database schema, which in turn makes guessing tables and columns in union based injection attacks easier. One good method for discovering the underlying database is to use common system tables. The example below demonstrates this:
Attack 1: http://www.site.com/table?column=x' union select 1 from all_tables--
Error: table or view does not exist.
Attack 2: http://www.site.com/table?column=x' union select 1 from information_schema.tables--
Error: Incorrect number of result columns.
In attack 1 the attacker incorrectly guesses the oracle database as the underlying schema. The attacker then changes the attack to select from a Microsoft system table. This returns an error that confirms the underlying schema is Microsoft. That is the error does not state that the table does not exist but instead says the number of columns in a table that does exist is invalid.
Now that we know what the underlying database is, we can use this to our advantage in the following attack:
http://www.site.com/table?column=x' union select object_id, name from sys.tables--
This allows us to extract tables out of the system. If any of this feels tedious, it's because it is. There is a tool worth checking out for automating sql injection attacks:
http://www.sqlinjection.net/sqlmap/
It is also worth checking out the following sources below:
Hunt, T. (2015, May). Ethical Hacking: SQL Injection. Retrieved from https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection
sqlinjection.net (2018). SQL Injection Using UNION. Retrieved from http://www.sqlinjection.net/union/
Here is another post on SQL Injection attacks. This week, we'll be taking a look at Union Based SQL injection attacks. Union based injection attacks allow the attacker to extract data out of the system.
Let's consider the following address again:
http://www.site.com/table?column=x
Union based attacks go along with error based attacks. Errors inform the attacker on which columns and tables exist in the database schema, which in turn makes guessing tables and columns in union based injection attacks easier. One good method for discovering the underlying database is to use common system tables. The example below demonstrates this:
Attack 1: http://www.site.com/table?column=x' union select 1 from all_tables--
Error: table or view does not exist.
Attack 2: http://www.site.com/table?column=x' union select 1 from information_schema.tables--
Error: Incorrect number of result columns.
In attack 1 the attacker incorrectly guesses the oracle database as the underlying schema. The attacker then changes the attack to select from a Microsoft system table. This returns an error that confirms the underlying schema is Microsoft. That is the error does not state that the table does not exist but instead says the number of columns in a table that does exist is invalid.
Now that we know what the underlying database is, we can use this to our advantage in the following attack:
http://www.site.com/table?column=x' union select object_id, name from sys.tables--
This allows us to extract tables out of the system. If any of this feels tedious, it's because it is. There is a tool worth checking out for automating sql injection attacks:
http://www.sqlinjection.net/sqlmap/
It is also worth checking out the following sources below:
Hunt, T. (2015, May). Ethical Hacking: SQL Injection. Retrieved from https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection
sqlinjection.net (2018). SQL Injection Using UNION. Retrieved from http://www.sqlinjection.net/union/
Comments
Post a Comment