Union-Based injection is an attack method in which an attacker takes advantage of the application not filtering user input correctly, inserting UNION SELECT statements through injection points to merge query result sets to obtain sensitive data. 1. The principle is to use the UNION operator to combine multiple SELECT query results; 2. Attack examples, inject UNION SELECT username, password FROM users into URL parameters; 3. To determine whether the injection point needs to detect the number of columns, ORDER BY or NULL tests are commonly used; 4. Database names, user information, etc. can be extracted in actual combat; 5. Defense methods include using parameterized query, filtering input, the principle of minimum permissions, hiding error information and deploying WAF.
SQL Union-Based injection attacks are a common and effective method in SQL injection, and attackers can use them to extract sensitive information from the database. The core of this attack method is to merge the maliciously constructed query results into the original query results through UNION operator, thereby obtaining additional data.
What is Union-Based Injection?
Simply put, Union-Based injection is the result set of two or more SELECT queries when the application does not correctly filter user input, and the attacker inserts a statement with UNION SELECT through the injection point. If the page displays certain fields in the query results, the attacker can see the part of the data they inject.
For a common example: The URL of a website is like this:
http://example.com/products.php?id=1
If this page has SQL injection vulnerability and does not filter the parameter id , an attacker may try:
http://example.com/products.php?id=1 UNION SELECT username, password FROM users
The purpose of this is to "subtitle" the username and password in the users table into the original product information. If the page happens to output fields outside the first query, you can see these sensitive information.
How to determine whether a Union injection point exists?
To utilize Union-Based injection, you first need to confirm whether the target has an injection point of that type. Here are some commonly used judgment methods:
Column number matching :
UNION SELECTrequires that the number of columns returned by the first and last two queries are the same. You can useORDER BYorNULLto detect the number of columns.Example:
http://example.com/products.php?id=1 ORDER BY 5 --
If the page reports an error, it means that the number of columns may be less than 5; gradually reduce the number until no error is reported.
Use NULL Test : Use
NULLplaceholder to test whether each field can be replaced and displayed.Example:
http://example.com/products.php?id=1 UNION SELECT NULL,NULL,NULL --
If the page displays content normally, you can try to replace it with the real field.
How to extract data in actual combat?
Once the number of columns is determined, you can start trying to extract the data. For example, if you want to view the current database name, user, etc., you can use the following statement:
http://example.com/products.php?id=1 UNION SELECT database(), user(), version() --
If the page can display these three values, it means you can continue to extract more content, such as the user name and password in the user table:
http://example.com/products.php?id=1 UNION SELECT username, password, null FROM users --
Note that null here is to match the number of columns in front. Different databases have different structures, so you need to know the table structure of the target database before you can successfully extract it.
How to defend against Union-Based injection?
The key to preventing such attacks lies in strict control and secure handling of user input:
- Use Parameterized Query (Precompiled Statement) : This is the most recommended way to avoid SQL injection completely.
- Filter and validate input : At least special characters must be escaped for cases where spliced SQL must be used.
- The principle of minimum permissions : Do not give unnecessary permissions to database accounts, such as drop, delete, etc.
- Error message processing : Do not expose detailed database error information to front-end users to prevent it from being used for detection.
- Web Application Firewall (WAF) : Deployment of WAF can identify and intercept some typical injection attack behaviors.
Basically that's it. Although Union-Based injection may seem complicated, it is not too difficult to defend as long as you understand its principles and attack process. The key is to pay more attention to input processing during development, so as not to give attackers an opportunity to take advantage of it.
The above is the detailed content of SQL Union-Based Injection Attacks. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How to find columns with a specific name in a SQL database?
Jul 07, 2025 am 02:08 AM
To find columns with specific names in SQL databases, it can be achieved through system information schema or the database comes with its own metadata table. 1. Use INFORMATION_SCHEMA.COLUMNS query is suitable for most SQL databases, such as MySQL, PostgreSQL and SQLServer, and matches through SELECTTABLE_NAME, COLUMN_NAME and combined with WHERECOLUMN_NAMELIKE or =; 2. Specific databases can query system tables or views, such as SQLServer uses sys.columns to combine sys.tables for JOIN query, PostgreSQL can be used through inf
Comparing Different SQL Dialects (e.g., MySQL, PostgreSQL, SQL Server)
Jul 07, 2025 am 02:02 AM
SQLdialectsdifferinsyntaxandfunctionality.1.StringconcatenationusesCONCAT()inMySQL,||orCONCAT()inPostgreSQL,and inSQLServer.2.NULLhandlingemploysIFNULL()inMySQL,ISNULL()inSQLServer,andCOALESCE()commonacrossall.3.Datefunctionsvary:NOW(),DATE_FORMAT()i
What is the difference between SQL and NoSQL
Jul 08, 2025 am 01:52 AM
The core difference between SQL and NoSQL databases is data structure, scaling method and consistency model. 1. In terms of data structure, SQL uses predefined patterns to store structured data, while NoSQL supports flexible formats such as documents, key values, column families and graphs to process unstructured data; 2. In terms of scalability, SQL usually relies on stronger hardware on vertical expansion, while NoSQL realizes distributed expansion through horizontal expansion; 3. In terms of consistency, SQL follows ACID to ensure strong consistency and is suitable for financial systems, while NoSQL mostly uses BASE models to emphasize availability and final consistency; 4. In terms of query language, SQL provides standardized and powerful query capabilities, while NoSQL query languages ??are diverse but not as mature and unified as SQL.
Advantages of Using Common Table Expressions (CTEs) in SQL.
Jul 07, 2025 am 01:46 AM
The main advantages of CTEs in SQL queries include improving readability, supporting recursive queries, avoiding duplicate subqueries, and enhancing modular and debugging capabilities. 1. Improve readability: By splitting complex queries into multiple independent logical blocks, the structure is clearer; 2. Support recursive queries: The logic is simpler when processing hierarchical data, suitable for deep traversal; 3. Avoid duplicate subqueries: define multiple references at a time, reduce redundancy and improve efficiency; 4. Better modularization and debugging capabilities: Each CTE block can be run and verified separately, making it easier to troubleshoot problems.
When to use SQL subqueries versus joins for data retrieval.
Jul 14, 2025 am 02:29 AM
Whether to use subqueries or connections depends on the specific scenario. 1. When it is necessary to filter data in advance, subqueries are more effective, such as finding today's order customers; 2. When merging large-scale data sets, the connection efficiency is higher, such as obtaining customers and their recent orders; 3. When writing highly readable logic, the subqueries structure is clearer, such as finding hot-selling products; 4. When performing updates or deleting operations that depend on related data, subqueries are the preferred solution, such as deleting users that have not been logged in for a long time.
What is a composite primary key in SQL?
Jul 08, 2025 am 01:38 AM
AcompositeprimarykeyinSQLisaprimarykeycomposedoftwoormorecolumnsthattogetheruniquelyidentifyeachrow.1.Itisusedwhennosinglecolumncanensurerowuniqueness,suchasinastudent-courseenrollmenttablewherebothStudentIDandCourseIDarerequiredtoformauniquecombinat
How to find the second highest salary in SQL
Jul 14, 2025 am 02:06 AM
There are three core methods to find the second highest salary: 1. Use LIMIT and OFFSET to skip the maximum salary and get the maximum, which is suitable for small systems; 2. Exclude the maximum value through subqueries and then find MAX, which is highly compatible and suitable for complex queries; 3. Use DENSE_RANK or ROW_NUMBER window function to process parallel rankings, which is highly scalable. In addition, it is necessary to combine IFNULL or COALESCE to deal with the absence of a second-highest salary.
How to create empty tables with the same structure as another table?
Jul 11, 2025 am 01:51 AM
You can use SQL's CREATETABLE statement and SELECT clause to create a table with the same structure as another table. The specific steps are as follows: 1. Create an empty table using CREATETABLEnew_tableASSELECT*FROMexisting_tableWHERE1=0;. 2. Manually add indexes, foreign keys, triggers, etc. when necessary to ensure that the new table is intact and consistent with the original table structure.
