📝 Overview
What it is: A web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Target Phase: attack / Enumeration Operating System: Platform Independent (Web Apps)
⚙️ Core Capabilities
- Bypass Auth: Log in as an administrator without a password.
- Data Exfiltration: Dumping the entire database (hashes, customer info).
- RCE: In some cases (like
xp_cmdshellin MSSQL), SQLi can lead to a full system shell.
🔬 Example Payloads
- Auth Bypass:
' OR 1=1 --entered in a login form to bypass authentication. - UNION-based:
' UNION SELECT username, password FROM users --to extract data via In-Band. - Time-Based Blind:
'; IF (1=1) WAITFOR DELAY '0:0:5' --to infer data through response timing.
🛡️ Prevention (The “IT Specialist” Defense)
- Prepared Statements: Using parameterized queries so the DB knows what is data vs. command.
- Stored Procedures: Similar to parameterized queries; keeps the logic on the DB side.
- Input Validation: Use “Allow-lists” to ensure input matches the expected format.
- Privilege Management: Run database connections with the lowest necessary permissions — a read-only user can’t
DROP TABLE.
🏷️ Tags
SQLi SQLInjection WebSecurity attack Enumeration Database PenTestPlus CLItool injection
Types of SQL Injection
| Type | Description |
|---|---|
| In-Band (Classic) | The attacker uses the same communication channel to launch the attack and gather results (e.g., seeing data directly on the webpage). |
| Inferential (Blind) | No data is actually transferred. The attacker observes the server’s response time or changes in the page layout to “infer” data (e.g., “If the first letter of the password is ‘A’, wait 10 seconds”). |
| Out-of-Band | The attacker triggers the database to make a request to an external server (like a DNS or HTTP request) to exfiltrate the data. |