In-band SQL injection, often known as UNION-based SQL injection, empowers the extraction of data from the database through the utilization of the UNION SQL command. This type of attack allows a penetration tester to retrieve database content, including the database name, table schemas, and actual data.
As illustrated in the initial chapter of this module, the UNION statement merges the result sets of two or more SELECT statements. For instance:
SELECT <field list> FROM <table> UNION SELECT <field list> FROM <another table>;
Consider a scenario where the database contains two tables: CreditCards
and Users
. For example:
CreditCards
|id(int)|username(string)|password(string)|real_name(string)|
|-------|----------------|----------------|-----------------|
| 1 | admin | strongpass123 | Armando Romeo |
| 2 | fred | wowstrongpass123| Fred Flintstone|
Users
|user_id(int)|Cc_num(int) |CVS(int)|
|------------|---------------------|--------|
| 1 | 0000 1111 2222 3333 | 123 |
| 2 | 0123 4567 8901 2345 | 321 |
The web application employs the following code to display usernames:
<?php
$rs = mysql_query("SELECT real_name FROM users WHERE id=" . $_GET['id'] . ";");
$row = mysql_fetch_assoc($rc);
echo $row['real_name'];
?>
Here, there is a clear SQL injection point in the id
field of the SQL query.
To exploit the SQL injection vulnerability and retrieve the credit card associated with a username, the payload is:
9999 UNION ALL SELECT cc_num FROM CreditCards WHERE user_id=1
This payload transforms the web application query into:
SELECT real_name FROM users WHERE id=9999 UNION ALL SELECT cc_num FROM CreditCards WHERE user_id=1;
Since there are no users with id=9999
, the web application displays the cc_num
of the first user.
Several considerations arise in this in-band attack:
- The field types of the second SELECT statement should match those in the first statement.
- The number of fields in the second SELECT statement should match the number of fields in the first statement.
- To succeed in the attack, knowledge of the database structure in terms of tables and column names is essential.
To address the first two issues, an advanced technique can be employed to determine what columns are used in a SELECT statement. However, for this, we assume knowledge of the database structure.
Enumerating the number of columns, or fields, in query selects involves a cyclical task. Incorrectly providing the number of fields in the injected query can result in errors. If an error occurs, the DBMS outputs distinct error strings:
- MySQL error: "The used SELECT statements have a different number of columns"
- MS SQL error: "All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists."
- PostgreSQL error: "ERROR: each UNION query must have the same number of columns"
- Oracle error: "ORA-01789: query block has incorrect number of result columns"
To discover the number of fields needed, an iterative approach using null fields can be employed:
999 UNION SELECT NULL; -- -
999 UNION SELECT NULL, NULL; -- -
999 UNION SELECT NULL, NULL, NULL, NULL; -- -
Iteratively adding null fields until the error disappears helps identify the required number of fields for a valid query. This compels the web application to execute corresponding queries and assists in refining the injection payload.