Lab 9: SQL injection - SQL injection UNION attacks

Objective:
- This lab focuses on exploring and understanding Union-Based SQL Injection attacks.
Participants will engage with a simulated web application that is vulnerable to SQL injection,
specifically through the misuse of the UNION SQL operator. The objective is to learn how to
identify, exploit, and subsequently defend against Union-Based SQL Injection vulnerabilities.

In this lab, students need to:

 Answer the following questions:
o What is a Union-Based SQL Injection attack, and how does it differ from other types of
SQL injection attacks?
Union-Based SQL Injection Attack
A Union-Based SQL Injection is a type of SQL Injection attack that exploits the UNION SQL
operator to extract data from a database. The UNION operator is used to combine the results of
two or more SELECT queries, provided they have the same number of columns and compatible
data types.

Union-Based SQLi: Uses to fetch data from different tables and display results in the
application's response.UNION SELECT
Error-Based SQLi: Extracts data by causing intentional database errors that reveal useful
information.
Boolean-Based SQLi: Uses true/false conditions to infer database structure without
directly seeing data.
Time-Based SQLi: Uses SQL functions like to measure response time, inferring data from
delays.SLEEP()
Blind SQLi: The attacker receives no direct output but determines data through indirect
responses.

o Explain the role of the UNION SQL operator in this type of attack and how it can be used
to extract data from a database that is not typically accessible through the intended use
of a web application.
Role of the UNION SQL Operator in Union-Based SQL Injection
The SQL operator is used in Union-Based SQL Injection to combine the results of
multiple queries into a single result set. Attackers exploit this feature to retrieve
unauthorized data from a database by injecting malicious SQL queries.UNIONSELECT
How UNION SQL Operator Works in SQL Injection`
1. Combining Two SELECT Statements:
The operator merges the output of two or more statements if they have the same
number of columns and compatible data types.UNIONSELECT
 2. Bypassing Application Restrictions:
Many applications only allow certain data to be queried (e.g., customer details).
Using , an attacker can extract hidden tables like , , etc.UNIONusersadmin_credentials
Extracting Hidden Data with UNION-Based SQL Injection
1. Finding the Number of Columns
2. Identifying Data Types
3. Extracting Sensitive Data

 Perform challenge:
o SQL injection UNION attack, determining the number of columns returned by the query
 Explain and capture all steps (full windows screen capture).

Bật intercept và chọn một lệnh truy vấn

Repeater gói tin yêu cầu truy vấn

Thêm phần ‘+UNION+SELECT+NULL—và sau mục cần truy vấn
Và Thêm NULL đến khi send nhận được phản hồi vì lúc đó số cột đã khớp và ta hoàn thành bài
Submit a report addressing all the questions mentioned above in either PDF or Markdown format.
Additionally, include a video demonstrating the detailed process of your work to ensure the
authenticity of your lab exercise.
The report file name must be Class_YourStudentID _YourName_Lab9