Union-Based

Union-based SQL Injection occurs when an attacker exploits the UNION SQL operator to combine the results of two or more SELECT statements, allowing them to retrieve data from other tables in the database that they would not normally have access to.

How Union-Based SQL Injection Works

Injection: An attacker injects a UNION SELECT statement into a vulnerable SQL query.
Combination: The attacker uses the UNION operator to combine results from their malicious query with the results of the original query.
Data Extraction: The attacker can extract sensitive data from the database if the query is constructed correctly.

Consider a website that allows users to search for products by ID. The original SQL query might look like this:

SELECT product_name, price FROM products WHERE product_id = [user_input];

If this input is not properly sanitized, an attacker could inject a UNION query to extract data:

1 UNION SELECT username, password FROM users;

The resulting payload might look like:

http://example.com/search?product_id=1 UNION SELECT username, password FROM users;

Performing these attacks on systems without permission is illegal. Always obtain proper authorization before testing for vulnerabilities.

Union-Based

How Union-Based SQL Injection Works

Detailed Steps

On this page