SQL Injection Overview
What is it?
SQL injection is where an attacker is able to manipulate database queries made by an application.
A simple example
A vulnerable web application has the endpoint
/search?product={productName}When a request is made, the application uses SQL to search for the product
SELECT * FROM products WHERE name=$productNameIf an attacker inserts a payload into
{productName}such asanything' UNION SELECT password FROM users WHERE username = 'adminthat modifies the query, sensitive data could be leaked.The vulnerable application sends this query to the database and the database returns the admin's password.
It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:
Sensitive data exposure
Data manipulation
Remote code execution
Denial of service
Other learning resources:
PostSwigger: https://portswigger.net/web-security/sql-injection
Writeups:
Have a good writeup & want to share it here? Drop me a message on LinkedIn.
Checklist
What is the technology stack you're attacking?
What application/framework is being used
What backend DB is being used
Is there an ORM?
Verify injection points
URL parameters
Form fields
HTTP headers (e.g. cookies, etc)
Out-of-band (e.g. data retrieved from a third party)
Test ' and "
Can you trigger an error?
Can you trigger a different response?
Test with SQLmap
Test for login bypass
' and 1=1-- -etcTest for blind SQLi
Test for errors
Test for conditional responses
Test for conditional errors
Test for time delays
Test for out-of-band interactions
Test for NoSQL injection
Is there a blocklist?
Can you bypass the blocklist?
Encoding
Double encoding
Alternative characters
Alternative payloads
Test for second-order SQLi
Exploitation
Copy
Copy
Copy
Last updated