Union Select Operations
Start course

In this course, we're going to continue learning about SQL Injections, focusing on GET SQL Injections. They are very similar to POST SQL Injections but we're going to learn about new techniques, new kinds of attacks, and much more.


Hi, within this lecture, we're going to deep dive a little bit in this SQL injection and we're going to see Union Select operations as well. So, right now, we managed to get the admin password. But we can make this actually in other ways as well. So, we have tried only this way, right?

We nullified the rest of this statement. So, it only filtered for a single user name. So, maybe we can just select this or this in order to test for the other vulnerabilities here as well. So, rather than a regular username, I'm just going to give random username like atil or admin. Okay. But for the password, I'm just going to copy and paste this thing so that we can test to see if this is again injectable as well. So, let's try this and it will just run the query with a username and for the password and if it doesn't work, it will just see if one equals one since one equals one. It displays all the results back to us. So remember that's what we got like it logged in with a default user before. Right now, it's displaying the default everything back to us.

So, it's a big mistake, it's a big vulnerability. But if we get it, then we can see every single detail in that database or in that table, actually. So, this is working, and the password is working as well. So, we definitely know that this is injectable and there is a huge SQL injection vulnerability over here. But we want to dig a little bit deeper over there, just to understand this in a deeper sense and also to enhance our skills. So, remember how it all got started for us? We actually tried for this. So, we injected this and one equals to one statement. And if that works, then we assumed that this is injectable because we could have injected this and one equals to one thing. So, if it's not injectable, then it will give us some kind of an error message or display nothing back to us. But, if it works, then it means that there is a SQL injection opportunity. But this is not the only way that we can understand this. So, let me write it and you can understand it in a better way. So, after the password, if we do a single quotation mark as usual and we can just say this ORDER BY 1.

So, this will order the columns are ordered the actually the data inside of one column. And the column that will be based in this ordering will be the first column, column one. Okay, so, we can order the queries, order the records that we get back from query by this order by thinking. And of course, we don't care the order of the data, actually. But if we can actually order something, or if we can actually inject something then we will definitely understand that it's injectable. So, it's exactly the same thing like and one equals to one. But in some cases, one equals to one doesn't work, but order by one would work. So, this is again one of the things that you should try to see if this is injectable or not. Okay, so remember this order by thing and it's very useful because we're going to build up on that as well. So far, we have confirmed that there is a SQL injection possibility. Right? And what to do next? Maybe we can come over here. Okay, let me just come back to here or at the bottom of this text and I'm going to take some note again so that I can share all these notes with you later on. So, rather than get method, I'm just going to go for the Union select because we have learned how to do union select in sql one or one. But we haven't seen how to do it or we haven't practiced it. Right? So, let me just first of all take a note over here and right. Union select. After that, we're going to write their username like this. Okay. atil a single dash or single actually quotation mark in here. An after over atil I'm going to say union select. And I'm going to say union select 1 like order by one. But this time I'm going to say union select 1. So, remember we have to do this as much as it's needed to understand how many columns are there in the left-hand side of the select everything from account stink and right-hand side of the union select. Okay.

So, we're going to see atil single quotation mark, union select 1. And then, of course, we want to just nullify the rest of the code by hashtag. So, I'm going to copy over here, copy this thing. Okay. And you can just do it with two dashes as well if it's needed. So, until union select 1 and hashtag and for the password, I'm just going to give something and here you go. We have an error. Why do we have an error? Because the left-hand side and the right-hand side do not match in the column, actually column numbers. So, in real life we wouldn't get this error and we wouldn't get anything back. But we understand that there should be something wrong with the column numbers then we will continue to add as much as it's needed. So, I'm going to say one and two or one and one is fine as well. Because you will see why I'm going to just say one and one.

But later on, we're going to have to just change it back. So, let me try one and one and see if this works or not. As you can see in this case, it shows the diagnostic information as well. But in real life you wouldn't get that much detailed thing. So, I'm going to say nothing for the password or just something like one or two. And we account details as you can see it still gives us the error. So, I'm going to continue to try this as long as it's needed. So, let's add one more, and it didn't work. So, let's add one more time. So, I believe this is five columns, one, two, three, four, five. And if I save you here you go now. We managed to get something out of this. So, what does it mean? It means that left side of the union select and right side of the union select has actually five columns. And as you can see, we get a very interesting thing over here. Username is 1, Password is 1, Signature is 1.

So, it really doesn't make sense, okay? But we can understand that there are five columns in the left-hand side. Okay. And we have to make the right-hand side to actually adapt to five columns somehow so that we can understand what kind of details that we may get out of this one. So, let me do it like this and you will see it in a more clear way. So, if I do one, two, three, four, five, then if I give something to password. Then as you can see, Username is 2, Password is 3 and Signature is 4. So, we have two, three and four or second, third and fourth columns in the right-hand side. So, they are not necessarily username, password or signature. But there are some details that we may get out of those, okay? Like there are some details that we can actually read if we give their right column names. So, let me just write them over here in our notes. So, rather than two, if we give some right column name like username or something like that, then it may show us the details of the username column.

Like we have seen before. We don't know if it's going to work or not, but it's worth a shot. But as you can see it says that unknown column 'username' in 'field list'. So, it doesn't work. So again, like we tried when we learned about a square, we can try to guess the id or password or name or email, something like that over here, right? But also I said before that we could try something to learn about the column names as well rather than trying randomly. Right? So, we're going to do that, actually. So ,let's try to see if there's an id column. As you can see, it says that no, you cannot see this. Let's try something like email again. There is no email column in this list. So, let's see user email as you can see, we cannot see that as well. So, most of the time it would work, by the way. But as you can see in this case, it doesn't work. So, we have to understand why it doesn't work and we have to understand if we can get these details from the SQLite or SQL database or not.

So, right now we know the column count but we cannot go further, right? So, I'm going to show you something like a special function that you can use in order to get the database data actually or database information. So, if you write it like this database user and version. Okay. If it's vulnerable, then you can get the information regarding to database name, user that these databases running on or assigned to and the version of the database as well. Okay. So, this may lead us to get the column names as well. So, rather than username I'm just going to say database in the second column. And in the third column I'm just going to say user. Okay. With parentheses. And for the fourth column I'm just going to say version and after comma of course you're going to have to say five and just say we want account details.

So, here you go in the username it says owasp10. It's not the username, actually it's the database name in the password it says root and it's not the password it's the user of this database and this is the version of this database. So, we managed to get some data to shown in here and we know that second third and fourth column works in order to retrieve some data. So, we know a lot of useful information. So, we're going to work with second, third and fourth columns, and we know we can run some special functions to learn about the user and the database name or the database version. Now we're going to build up on that and see what we can get out of this database further.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.