How does union select statement output vulnerable columns

Question

Consider a SQL vulnerable site.

Let the number of columns in the query be 3.

So the statement goes, www.test.com?php.id=-1' union select 1,2,3 --+-

My understanding of this statement is like this.

1. There are 2 statements
2. Union is used to join both statements.
3. (-) is used to null the value of the first statement.
4. ' is used to break the query and input a second statement and --+- is used to comment out the rest of the statement.

Upon inputting this statement, The website displays 2 and 3 as vulnerable columns.

What I don't get is that how a select statement displays the vulnerable columns.

Answer 1

Suppose your back-end code did something like:

sql = "SELECT UserId, UserName, Password from Users where UserID = " + id + " AND password = '" + password + "'"

So it would only return results if the User ID and password matched.

Then "injecting" the code above would result in a SQL statement of

SELECT UserId, UserName, Password from Users 
where UserID = -1 union select 1,2,3 --+- AND password = 'anything'

Presumably the UI might then display 1 and 2 in the "username" and "password" fields, identifying them as "vulnerable"

It's a technique used to determine how SQL statements are built in back-end code in order to define a true SQL injection attack to retrieve sensitive data.