The UNION command in SQL is meant to join a query which allows you to two queries as long as the number of columns line up between the two tables. In SQL injection, the purpose is to forge part of the query so it pulls data from somewhere else.
SELECT ID, Account, Password FROM Users WHERE uname = $uname
This is a basic query.
If want to gather info from another table, say SSNs, we can put in something like this:
SELECT ID, Account, Password FROM Users WHERE uname = 1 UNION ALL SELECT SSN,1,1 FROM SSNTable
As you can see, the columns match up. In the original query there were 3 columns (ID, Account, Password) and in the malicious query it’s SSN,1,1. 1,1 won’t return anything but the SSN parameter should if that column exists in that table.
In Mutillidae, this can be exploited.
At the user lookup page, we enter the username as a query:
'union select null --
And we get a syntax error
As you can see, the error message is the SELECT statements have a different number of columns, so this is now a matter of entering enough nulls so the columns align.
The magic number was 7. The query looked like this
' union select null,null,null,null,null,null,null --
Next is fuzzing to see how the columns line up. Just because there’s 7 columns doesn’t mean they will all appear, as you can see there’s only three that show up. Replacing null with 1 should show how the columns align.
So replacing the first null with 1 didn’t show up. Let’s try the second.
There it is! So now what? Well there’s a lot.
|@@version||:||Version of DB|
|UUID()||:||System UUID key|
|system_user()||:||Current Sustem user|
|@@GLOBAL.have_symlink||:||Check if Symlink Enabled or Disabled|
|@@GLOBAL.have_ssl||:||Check if it have ssl or not|
If we enter @@version instead of 1 we get the version of the DB
and so on.