SQLi is one of the oldest vulnerabilities around, while it’s not that common anymore the impact can be very severe. SQLi has been on the number one spot (as part of “Injection” categorie) since the OWASP 2010 and still is on the number one spot in the OWASP 2017.

What is SQLi?

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.

OWASP

short explanation/intro before video

SELECT bounty FROM researcher WHERE id = 31337;

*pwnfunction video*

Some key takeaways:

  • …….

A must read on how to manually discover and exploit SQLi by Gerben Javado.

If the video was not enough or you just want more. Portswigger has a great explanation about SQL Injection.

EXTRA VIDEO: A CTF challenge exploiting SQLi (by John Hammond)

Impact

The impact of SQL injection can be quite severe from viewing other people’s data or accessing other people’s account (by leaking the credentials) to deleting the entire database or changing data.

Spraying single quotes to find SQLi be like

Error Based SQLi

With error based SQLi it’s possible to extract information by triggering SQL error messages on the site. SQL errors should always be disabled on public accessible sites.

Advanced Error Based SQL Injection Exploitation by H4ck0

A write-up show casing how to exploit a SQLi as error based SQLi and blind SQLi by Redforce

Union Based SQLi

Union based SQLi allows to extract information by extending the result from the original query via the SQL UNION operator.

A tutorial on UNION attacks by Portswigger.

Blind SQLi

Blind SQLi is a more difficult type of SQLi because the information your are trying to extract is not visible on the webpage. With blind SQLi it is possible to extract information by asking “questions” to the database and determine the answer based on the response and/or time.

Making a Blind SQL Injection a Little Less Blind by TomNomNom

A tutorial on blind SQLi by Portswigger

A great example on how to make an innocent proof of concept for a blind SQLi in the User-Agent by harisec.

Time for practice!

10 levels on SQLi, can you beat them all?

Pentester lab has some free exercises, one of them is a SQLi challenge including a course as well!

The go to tool for SQLi is SQLmap, but always remember to be careful when using tools. Specially in this case since you don’t want to brake the database because you were being a script kiddie. RTFM before using SQLMap! & A short tutorial on how to use SQLMap.

How to prevent SQLi?

A short summary on how to prevent SQLi:

Also:

  • Limit the rights of the database user (aka don’t use root)
  • Don’t store the passwords in plaintext!

SQL Injection Prevention Cheat Sheet by OWASP

A blog post from Troy Hunt his OWASP TOP 10 for .NET developers serie

Want more?

A page everyone should bookmark, the SQL injection cheat sheet by Portswigger.

Want to know if your account has been compromised in a data breach? Go check “Have I Been Pwned” by Troy Hunt.

Simple explanation about SQLi by Computerphile

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.