SQL injection overview
Last updated
Was this helpful?
Last updated
Was this helpful?
SQL injection is where an attacker is able to manipulate database queries made by an application.
A simple example
A vulnerable web application has the endpoint /search?product={productName}
When a request is made, the application uses SQL to search for the product SELECT * FROM products WHERE name=$productName
If an attacker inserts a payload into {productName}
such as anything' UNION SELECT password FROM users WHERE username = 'admin
that modifies the query, sensitive data could be leaked.
The vulnerable application sends this query to the database and the database returns the admin's password.
It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:
Sensitive data exposure
Data manipulation
Remote code execution
Denial of service
Other learning resources:
PostSwigger:
Swisskeyrepo:
Writeups:
Have a good writeup & want to share it here? Drop me a message on LinkedIn.
Verify injection points
URL parameters
Form fields
HTTP headers (e.g. cookies, etc)
Out-of-band (e.g. data retrieved from a third party)
Test ' and "
Can you trigger an error?
Can you trigger a different response?
Test with SQLmap
Test for login bypass ' and 1=1-- -
etc
Test for blind SQLi
Test for errors
Test for conditional responses
Test for conditional errors
Test for time delays
Test for out-of-band interactions
Test for NoSQL injection
Is there a blocklist?
Can you bypass the blocklist?
Encoding
Double encoding
Alternative characters
Alternative payloads
Test for second-order SQLi