AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation

Was this helpful?

  1. Common vulns

SQL injection overview

What is it?

SQL injection is where an attacker is able to manipulate database queries made by an application.

A simple example

  • A vulnerable web application has the endpoint /search?product={productName}

  • When a request is made, the application uses SQL to search for the product SELECT * FROM products WHERE name=$productName

  • If an attacker inserts a payload into {productName} such as anything' UNION SELECT password FROM users WHERE username = 'admin that modifies the query, sensitive data could be leaked.

  • The vulnerable application sends this query to the database and the database returns the admin's password.

It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:

  • Sensitive data exposure

  • Data manipulation

  • Remote code execution

  • Denial of service

Other learning resources:

  • PostSwigger: https://portswigger.net/web-security/sql-injection

  • Swisskeyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

Writeups:

  • https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498

Have a good writeup & want to share it here? Drop me a message on LinkedIn.

Checklist

Exploitation

# Basic login bypass
' AND 1=1#
# UNION SELECT
' UNION SELECT null,null FROM users-- -
# Blind
' AND SUBSTR((SELECT version()),1,1)='7'#
CAST((SELECT example_column FROM example_table) AS int)
PreviousSpideringNextDetection

Last updated 10 months ago

Was this helpful?