The UNION Attack Simply Explained

The UNION attack is when an attacker uses the UNION keyword to execute an additional SELECT SQL query, which will then append the results to the original query.

The results that are returned in the SQL query are usually as a result of an attacker leveraging on the SQL injection vulnerability to be able to retrieve data from the database tables.

For instance, if we can use the shopping application that we used in our previous tutorial on the Examples of SQL Injection Attack – On Retrieving Hidden Data, we can submit an SQL query as shown below:

https://www.shoppingwebsitelink.com/products?category=Shoes

UNION SELECT username, password FROM users--

The above input will cause the shopping website to return all the usernames and all the passwords on the application together with all the names and the descriptions of the products in the shopping application database.

UNION Attack Simply Explained

How The UNION Keyword is Used in Hacking

The UNION keyword allows an attacker to execute one or more additional SELECT queries which will then be appended to the original query. For instance:

SELECT x, y FROM table Z UNION SELECT 1, 2 FROM  table 3

The above SQL query will return results of columns Z and 3 containing values of x, y and 1, 2 respectively.

NOTE:

In order for a UNION attack to work successfully, then the SQL queries must be able to return the same number of columns and the data types in all the columns must be compatible with the individual queries.

Therefore, it is important to know how many columns are present in a database before sending the UNION SQL query to the database.

Additionally, one has to know which columns will be returned from the original query containing the data type.

Therefore, how does one get to determine the number of columns in a database before performing any form of SQL injection UNION attack?

There are two ways to do that: