search

SQL injection (all variants)

circle-exclamation

Before you start, it is very recommended to have basics of SQL query structure and parameterization (prepared statements), how applications build queries from user input, and database permissions & error handling. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :)

hashtag
Understanding SQL Injection

hashtag
What is SQL Injection?

SQL injection exploits the way web applications construct SQL queries by inserting malicious SQL code through user input fields. When applications fail to properly validate, sanitize, or parameterize user input, attackers can manipulate the intended SQL query structure to execute arbitrary database commands.

hashtag
How SQL Injection Works

  • Vulnerable Code Example:

$query = "SELECT * FROM users WHERE id = " . $_GET['id'];
$result = mysqli_query($connection, $query);

  • Normal Request:

GET /page.php?id=1
SQL Query: SELECT * FROM users WHERE id = 1

  • Malicious Request:

GET /page.php?id=1 OR 1=1
SQL Query: SELECT * FROM users WHERE id = 1 OR 1=1

hashtag
Common Vulnerable Input Points

GET Parameters:

  • URL query string parameters

  • Path parameters in RESTful APIs

  • Fragment identifiers

POST Parameters:

  • Form input fields

  • Hidden form fields

  • File upload parameters

HTTP Headers:

  • User-Agent strings

  • X-Forwarded-For headers

  • Custom application headers

Cookies:

  • Session identifiers

  • User preference cookies

  • Authentication tokens

JSON and XML Data:

  • API request bodies

  • Configuration parameters

  • Data interchange formats

hashtag
SQL Injection Detection

circle-info

This section focuses on confirmation and signal identification. Full error-based and time-based exploitation techniques are detailed in later sections.

hashtag
Basic Syntax Testing

  • Single Quote Testing:

  • Double Quote Testing:

  • Backslash and Escape Character Testing:

  • Comment Injection Tests:

hashtag
Boolean Logic Testing

  • True/False Condition Testing:

hashtag
Error-Based Detection

  • MySQL Error Signatures:

  • PostgreSQL Error Signatures:

  • SQL Server Error Signatures:

  • Oracle Error Signatures:

hashtag
Time-Based Detection

MySQL Time Delays

  • SLEEP Function:

  • BENCHMARK Function:

PostgreSQL Time Delays

  • pg_sleep Function:

  • generate_series Delay:

SQL Server Time Delays

  • WAITFOR DELAY:

Oracle Time Delays

  • DBMS_LOCK.SLEEP:

hashtag
Response Analysis

  • Response Timing

  • Content Length

  • HTTP Status Code

  • Response Pattern:

hashtag
Union-Based SQL Injection

Purpose

Union-based injection leverages the UNION SQL operator to combine results from multiple SELECT statements, allowing attackers to extract data from any accessible database table. This technique is highly effective when the application displays query results directly to the user.

Prerequisites for Union Injection

Requirements:

  1. Application must display query results

  2. Injected query must have same number of columns

  3. Data types must be compatible

  4. UNION operator must be supported by database

hashtag
Extracting Column Count

ORDER BY Method

  • Sequential Column Discovery:

  • Binary Search Optimization:

UNION SELECT Method

  • NULL Value Testing:

hashtag
Data Type Identification

  • String:

  • Integer:

  • Mixed Data Types:

hashtag
Database Information Extraction

MySQL Information Schema Exploitation

  • Database Enumeration:

  • Table Enumeration:

  • Column Enumeration:

PostgreSQL Information Extraction

  • System Information:

  • Database Schema Enumeration:

SQL Server Information Extraction

  • System Information:

  • Database Schema Information:

hashtag
Data Extraction Techniques

  • Basic Data Extraction:

  • Data Concatenation:

hashtag
Row-by-Row Extraction

  • LIMIT-Based Extraction (MySQL/PostgreSQL):

  • TOP-Based Extraction (SQL Server):

  • ROWNUM-Based Extraction (Oracle):

hashtag
Advanced Data Extraction

  • Conditional Data Extraction:

  • Nested Query Extraction:

hashtag
Boolean-Based Blind SQL Injection

Purpose

Boolean-based blind injection exploits applications that don't return database errors or query results but show different responses (page content, HTTP status codes, or response times) for true and false conditions. This technique relies on inferring information through the application's behavior rather than direct data output.

hashtag
Database Information Extraction

Database Version Discovery

  • MySQL Version Extraction:

  • PostgreSQL Version Extraction:

Database Name Extraction

Character-by-Character Database Name:

Table Discovery

Table Count Determination:

Table Name Extraction:

hashtag
Advanced Boolean Techniques

Binary Search

  • ASCII Binary Search:

Conditional Logic Exploitation

  • IF/CASE Statement Injection

MySQL IF Statement:

PostgreSQL CASE Statement:

SQL Server CASE Statement:

hashtag
Time-Based Blind SQL Injection

Purpose

Time-based injection exploits applications by causing deliberate delays in database responses to infer information when no visible output differences exist. This technique is useful when applications show identical responses regardless of query results but still process the injected SQL.

hashtag
Database-Specific Time Delay Functions

MySQL Time Delays

  • SLEEP Function:

  • BENCHMARK Function:

PostgreSQL Time Delays

  • pg_sleep Function:

  • generate_series Delay:

SQL Server Time Delays

  • WAITFOR DELAY:

Oracle Time Delays

  • DBMS_LOCK.SLEEP:

hashtag
Time-Based Data Extraction

Character-by-Character Extraction

  • Database Name Extraction:

  • Data Extraction:

hashtag
Advanced Time-Based Extraction

  • Binary Search for ASCII Values:

hashtag
Error-Based SQL Injection

Purpose

Error-based injection exploits verbose database error messages to extract data directly from error responses. This technique leverages database functions that generate errors containing the desired data, making extraction faster than blind techniques.

hashtag
Function Errors

Function errors are just a way to check the database type by triggering an error:

hashtag
MySQL Error-Based Techniques

EXTRACTVALUE Function

  • Basic EXTRACTVALUE Usage:

  • Advanced EXTRACTVALUE Queries:

  • Row-by-Row EXTRACTVALUE Extraction:

UPDATEXML Function

Basic UPDATEXML Usage:

Advanced UPDATEXML Queries:

EXP Function

Exponential Overflow Error:

hashtag
PostgreSQL Error-Based Techniques

CAST Function Errors

Type Conversion Errors:

Advanced CAST Queries:

Array Index Errors

Array Bounds Exploitation:

hashtag
SQL Server Error-Based Techniques

CONVERT Function Errors

Type Conversion Exploitation:

Advanced CONVERT Queries:

hashtag
Oracle Error-Based Techniques

ORA Error Exploitation

CTXSYS.DRITHSX.SN Function:

UTL_INADDR.GET_HOST_NAME Function:

hashtag
Second-Order SQL Injection

Purpose

Second-order SQL injection occurs when user input is stored in the database and later used in a SQL query without proper sanitization during the retrieval and processing phase. This type of injection is more complex to detect and exploit as the malicious payload is not immediately executed.

hashtag
Detection Methodology

Input Storage Points Analysis

Registration Systems:

Profile Update Systems:

Comment and Feedback Systems:

hashtag
Trigger Point Identification

Administrative Functions:

Reporting and Analytics:

hashtag
Exploitation Strategies

Multi-Step Exploitation Process

Step 1: Payload Storage

Step 2: Payload Activation

Step 3: Exploitation Verification

hashtag
Advanced Second-Order Techniques

Time-Delayed Activation:

Conditional Payload Execution:

hashtag
Advanced SQL Injection Techniques

Purpose

Advanced techniques bypass modern security controls including Web Application Firewalls (WAFs), input filters, and other protection mechanisms while exploiting complex database configurations and features.

hashtag
WAF Bypass Techniques

Comment-Based Bypasses

MySQL Comment Variations:

Comment Nesting:

Case Variation and Encoding

Case Mixing Bypasses:

URL Encoding Bypasses:

HTML Entity Encoding:

Space and Delimiter Bypasses

Alternative Space Characters:

Comment-Based Space Replacement:

Keyword Obfuscation

Alternative Keywords:

Function Name Obfuscation:

hashtag
Database-Specific Advanced Features

MySQL Advanced Techniques

  • File System Operations:

  • File Writing Operations:

  • User-Defined Functions (UDF):

PostgreSQL Advanced Techniques

  • Large Object Functions:

  • Command Execution:

  • Extension Exploitation:

SQL Server Advanced Techniques

  • xp_cmdshell Command Execution:

  • OLE Automation:

  • Linked Server Exploitation:

hashtag
Privilege Escalation Techniques

Database User Privilege Escalation

  • MySQL Privilege Escalation:

  • PostgreSQL Privilege Escalation:

  • SQL Server Privilege Escalation:

hashtag
Testing Checklist:

  • Detection Phase:

  • Exploitation Phase:

  • Advanced Testing:

  • Tool Validation:

PreviousInput Validation TestingNextCross-site scripting (XSS)

Last updated

Was this helpful?