If this payload successfully returns a blank page instead of an error, it confirms to a tester that the application is vulnerable. From there, they can replace the NULL s with commands to extract sensitive data, such as: Usernames and passwords. Database version and configuration details. The entire contents of specific tables. How to Prevent It
: This treats user input as data, not as executable code. {KEYWORD}) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#
: This is the core of the attack. The UNION operator combines the results of two or more SELECT statements into a single result set. ALL ensures that duplicate rows are kept. If this payload successfully returns a blank page
To protect your application from this type of attack, you should avoid building queries using simple string concatenation. Instead, use: The entire contents of specific tables
: Only allow expected characters and formats.
: This is a common reconnaissance technique. An attacker uses NULL values to determine the exact number of columns returned by the original query. If the number of NULL s doesn't match the original column count, the database will usually throw an error. By adding or removing NULL s, an attacker can find the correct structure.
The string you provided is a specific used to test for vulnerabilities in a database. It is designed to trick a web application into running a second, unauthorized query and appending the results to the original one. Breakdown of the Payload
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|