Detection: SQL Injection Union Based
Overview
Detect UNION-based SQL injection attacks that attempt to join results from another query to the original query's results. UNION-based SQL injection is a technique where attackers append an additional SELECT statement to an existing query using the UNION operator. This technique allows attackers to combine results from the original query with results from an injected query, enabling them to extract data from different database tables.
This detection identifies various patterns of UNION-based SQL injection, including regular syntax, URL-encoded variants, and obfuscation techniques designed to evade detection. Attackers often use these methods to bypass security controls while still executing malicious database queries.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.sql_injection_union_basedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.sql_injection_union_based --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- UNION-based patterns request_uri ilike '%union%select%' -- Evasion techniques specific to UNION or request_uri ilike '%uni%on%sel%ect%' or request_uri ilike '%uni*/*/on/**/sel/**/ect%' or request_uri ilike '%un?on+sel?ct%' )order by tp_timestamp desc;