pwneglyph logo

Note

web http sql-injection union-based session account-takeover

Forge a result row that mixes your stable identifiers with the victim's high-value attributes when the app trusts the row wholesale.

Hybrid Session State via UNION SELECT

When the app maps SQL result columns directly into session fields, a forged row can mix identity components from multiple real users.

Why It Matters

  • A UNION SELECT row can blend your own login-stable fields with the victim's role/email/2FA when the session is built from the row wholesale.

Vulnerable Pattern

  • Custom auth code doing SELECT id, username, emailUser ... and trusting the returned row wholesale.

Exploit Flow

  1. Learn the exact column order and which fields influence which later behaviors.
  2. Craft a UNION SELECT row combining your own stable identifiers with the victim's high-value attributes.
  3. Inspect whether the session shows cross-account effects (your inbox plus the victim's 2FA or role).

Common Blockers

  • SQL type mismatches, row-count expectations, or session logic recomputing some fields server-side later.

PoC Sketch

-- UNION SELECT returning your own id but the victim's emailUser/username
-- then check whether the session mixes both identities

Good Situations To Use It

  • A UNION-injectable auth query.
  • The session is built directly from the selected row.
  • You know the column order.

Sources

  • midnight_flag2026/web/blackbank