The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

N OT E

When the results of two or more 

SELECT

queries are combined using

the 

UNION

operator, the column names of the combined result set are the same

as those returned by the first 

SELECT

query. As shown in the preceding table ,

usernames appear in the 

author

column and passwords appear in the 

title

column. This means that when the application processes the results of the

modified query, it has no way of detecting that the data returned has originated

from a different table altogether.

This simple example demonstrates the potentially huge power of the 

UNION

operator when employed in a SQL injection attack. However, before it can be

exploited in this way, two important provisos need to be considered:

■■

When the results of two queries are combined using the 

UNION

operator,

the two result sets must have the same structure — that is, they must

contain the same number of columns, which have the same or compati-

ble data types, appearing in the same order.

■■

In order to inject a second query that will return interesting results, the

attacker needs to know the name of the database table that he wishes to

target, and the names of its relevant columns.

Let’s look a little deeper at the first of these provisos. Suppose that the

attacker attempts to inject a second query which returns an incorrect number

of columns. He supplies the input

Wiley’ UNION SELECT username,password FROM users--

The original query returns three columns, and the injected query only

returns two columns. Hence, the database returns the following error:

ORA-01789: query block has incorrect number of result columns

Suppose instead that the attacker attempts to inject a second query whose

columns have incompatible data types. He supplies the input 

Wiley’ UNION SELECT uid,username,password FROM users--

This causes the database to attempt to combine the password column from

the second query (which contains string data) with the year column from the

first query (which contains numeric data). Because string data cannot be con-

verted into numeric data, this causes an error: 

ORA-01790: expression must have same datatype as corresponding

expression

N OT E

Download 5,76 Mb.

Do'stlaringiz bilan baham: