Union-Based injection is an attack method in which an attacker takes advantage of the application not filtering user input correctly, inserting UNION SELECT statements through injection points to merge query result sets to obtain sensitive data. 1. The principle is to use the UNION operator to combine multiple SELECT query results; 2. Attack examples, inject UNION SELECT username, password FROM users into URL parameters; 3. To determine whether the injection point needs to detect the number of columns, ORDER BY or NULL tests are commonly used; 4. Database names, user information, etc. can be extracted in actual combat; 5. Defense methods include using parameterized query, filtering input, the principle of minimum permissions, hiding error information and deploying WAF.
SQL Union-Based injection attacks are a common and effective method in SQL injection, and attackers can use them to extract sensitive information from the database. The core of this attack method is to merge the maliciously constructed query results into the original query results through UNION operator, thereby obtaining additional data.
What is Union-Based Injection?
Simply put, Union-Based injection is the result set of two or more SELECT queries when the application does not correctly filter user input, and the attacker inserts a statement with UNION SELECT through the injection point. If the page displays certain fields in the query results, the attacker can see the part of the data they inject.
For a common example: The URL of a website is like this:
http://example.com/products.php?id=1
If this page has SQL injection vulnerability and does not filter the parameter id , an attacker may try:
http://example.com/products.php?id=1 UNION SELECT username, password FROM users
The purpose of this is to "subtitle" the username and password in the users table into the original product information. If the page happens to output fields outside the first query, you can see these sensitive information.
How to determine whether a Union injection point exists?
To utilize Union-Based injection, you first need to confirm whether the target has an injection point of that type. Here are some commonly used judgment methods:
Column number matching :
UNION SELECTrequires that the number of columns returned by the first and last two queries are the same. You can useORDER BYorNULLto detect the number of columns.Example:
http://example.com/products.php?id=1 ORDER BY 5 --
If the page reports an error, it means that the number of columns may be less than 5; gradually reduce the number until no error is reported.
Use NULL Test : Use
NULLplaceholder to test whether each field can be replaced and displayed.Example:
http://example.com/products.php?id=1 UNION SELECT NULL,NULL,NULL --
If the page displays content normally, you can try to replace it with the real field.
How to extract data in actual combat?
Once the number of columns is determined, you can start trying to extract the data. For example, if you want to view the current database name, user, etc., you can use the following statement:
http://example.com/products.php?id=1 UNION SELECT database(), user(), version() --
If the page can display these three values, it means you can continue to extract more content, such as the user name and password in the user table:
http://example.com/products.php?id=1 UNION SELECT username, password, null FROM users --
Note that null here is to match the number of columns in front. Different databases have different structures, so you need to know the table structure of the target database before you can successfully extract it.
How to defend against Union-Based injection?
The key to preventing such attacks lies in strict control and secure handling of user input:
- Use Parameterized Query (Precompiled Statement) : This is the most recommended way to avoid SQL injection completely.
- Filter and validate input : At least special characters must be escaped for cases where spliced SQL must be used.
- The principle of minimum permissions : Do not give unnecessary permissions to database accounts, such as drop, delete, etc.
- Error message processing : Do not expose detailed database error information to front-end users to prevent it from being used for detection.
- Web Application Firewall (WAF) : Deployment of WAF can identify and intercept some typical injection attack behaviors.
Basically that's it. Although Union-Based injection may seem complicated, it is not too difficult to defend as long as you understand its principles and attack process. The key is to pay more attention to input processing during development, so as not to give attackers an opportunity to take advantage of it.
The above is the detailed content of SQL Union-Based Injection Attacks. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Defining Database Schemas with SQL CREATE TABLE Statements
Jul 05, 2025 am 01:55 AM
In database design, use the CREATETABLE statement to define table structures and constraints to ensure data integrity. 1. Each table needs to specify the field, data type and primary key, such as user_idINTPRIMARYKEY; 2. Add NOTNULL, UNIQUE, DEFAULT and other constraints to improve data consistency, such as emailVARCHAR(255)NOTNULLUNIQUE; 3. Use FOREIGNKEY to establish the relationship between tables, such as orders table references the primary key of the users table through user_id.
Key Differences Between SQL Functions and Stored Procedures.
Jul 05, 2025 am 01:38 AM
SQLfunctionsandstoredproceduresdifferinpurpose,returnbehavior,callingcontext,andsecurity.1.Functionsreturnasinglevalueortableandareusedforcomputationswithinqueries,whileproceduresperformcomplexoperationsanddatamodifications.2.Functionsmustreturnavalu
Using SQL LAG and LEAD functions for time-series analysis.
Jul 05, 2025 am 01:34 AM
LAG and LEAD in SQL are window functions used to compare the current row with the previous row data. 1. LAG (column, offset, default) is used to obtain the data of the offset line before the current line. The default value is 1. If there is no previous line, the default is returned; 2. LEAD (column, offset, default) is used to obtain the subsequent line. They are often used in time series analysis, such as calculating sales changes, user behavior intervals, etc. For example, obtain the sales of the previous day through LAG (sales, 1, 0) and calculate the difference and growth rate; obtain the next visit time through LEAD (visit_date) and calculate the number of days between them in combination with DATEDIFF;
Can You Provide Code Examples Demonstrating Pattern Matching in SQL?
Jul 04, 2025 am 02:51 AM
Pattern matching functions in SQL include LIKE operator and REGEXP regular expression matching. 1. The LIKE operator uses wildcards '%' and '_' to perform pattern matching at basic and specific locations. 2.REGEXP is used for more complex string matching, such as the extraction of email formats and log error messages. Pattern matching is very useful in data analysis and processing, but attention should be paid to query performance issues.
How to find columns with a specific name in a SQL database?
Jul 07, 2025 am 02:08 AM
To find columns with specific names in SQL databases, it can be achieved through system information schema or the database comes with its own metadata table. 1. Use INFORMATION_SCHEMA.COLUMNS query is suitable for most SQL databases, such as MySQL, PostgreSQL and SQLServer, and matches through SELECTTABLE_NAME, COLUMN_NAME and combined with WHERECOLUMN_NAMELIKE or =; 2. Specific databases can query system tables or views, such as SQLServer uses sys.columns to combine sys.tables for JOIN query, PostgreSQL can be used through inf
How to create a user and grant permissions in SQL
Jul 05, 2025 am 01:51 AM
Create a user using the CREATEUSER command, for example, MySQL: CREATEUSER'new_user'@'host'IDENTIFIEDBY'password'; PostgreSQL: CREATEUSERnew_userWITHPASSWORD'password'; 2. Grant permission to use the GRANT command, such as GRANTSELECTONdatabase_name.TO'new_user'@'host'; 3. Revoke permission to use the REVOKE command, such as REVOKEDELETEONdatabase_name.FROM'new_user
What is the SQL LIKE Operator and How Do I Use It Effectively?
Jul 05, 2025 am 01:18 AM
TheSQLLIKEoperatorisusedforpatternmatchinginSQLqueries,allowingsearchesforspecifiedpatternsincolumns.Ituseswildcardslike'%'forzeroormorecharactersand'_'forasinglecharacter.Here'showtouseiteffectively:1)UseLIKEwithwildcardstofindpatterns,e.g.,'J%'forn
How to backup and restore a SQL database
Jul 06, 2025 am 01:04 AM
Backing up and restoring SQL databases is a key operation to prevent data loss and system failure. 1. Use SSMS to visually back up the database, select complete and differential backup types and set a secure path; 2. Use T-SQL commands to achieve flexible backups, supporting automation and remote execution; 3. Recovering the database can be completed through SSMS or RESTOREDATABASE commands, and use WITHREPLACE and SINGLE_USER modes if necessary; 4. Pay attention to permission configuration, path access, avoid overwriting the production environment and verifying backup integrity. Mastering these methods can effectively ensure data security and business continuity.
