SQL Injection Payload List & Explanation

ShuttlerTech
6 min readFeb 7, 2023

--

In this section, we’ll explain what SQL injection is, describe some common examples, explain how to find and exploit various kinds of SQL injection vulnerabilities, and summarize how to prevent SQL injection.

What is SQL injection (SQLi)?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

SQL Injection Type :

  • In-band SQLi (Classic SQLi) : In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results. The two most common types of in-band SQL Injection are Error-based SQLi and Union-based SQLi.
  • Error-based SQLi : Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.
  • Union-based SQLi : Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
  • Inferential SQLi (Blind SQLi) : Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server. The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.
  • Boolean-based (content-based) Blind SQLi : Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned.
  • Time-based Blind SQLi : Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. epending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned.
  • Out-of-band SQLi : Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).
  • Voice Based Sql Injection : It is a sql injection attack method that can be applied in applications that provide access to databases with voice command. An attacker could pull information from the database by sending sql queries with sound.

SQL Injection Vulnerability Scanner Tool’s :

  • SQLMap — Automatic SQL Injection And Database Takeover Tool
  • jSQL Injection — Java Tool For Automatic SQL Database Injection
  • BBQSQL — A Blind SQL-Injection Exploitation Tool
  • NoSQLMap — Automated NoSQL Database Pwnage
  • Whitewidow — SQL Vulnerability Scanner
  • DSSS — Damn Small SQLi Scanner
  • explo — Human And Machine Readable Web Vulnerability Testing Format
  • Blind-Sql-Bitshifting — Blind SQL-Injection via Bitshifting
  • Leviathan — Wide Range Mass Audit Toolkit

Practical Manual Approach:
How to manually test applications for SQL Injection:

1. Open the web application you wish to test for SQL Injection defects in a browser.

2. Mouse over the links of the Web site with your cursor while paying attention to the bottom status bar. You will notice the URLs that the links point to. Try to find a URL with parameters in it. Ex. http://www.site.com/articleid.asp?id=42.

Note: If you don’t see any URL’s in the status bar, then just click on links and watch the address bar until you find a URL that has parameters.

3. Once a URL with parameters has been found, click the link and go to that page. In the Address bar you should now see the URL that was seen in the status bar.

4. There are two methods for testing scripts for SQL injection. Be sure to test each parameter value one at a time with both methods.

Method 1. Go to the address bar, click your cursor, and highlight a parameter value. For example, highlight the word value in “name=value” and replace it with a single quote (‘). It should now look like “name=’ “

Method 2. Go to the address bar, click your cursor, and put a single quote (‘) in the middle of the value. It should now look like “name=val’ue”

5. Click the ‘GO’ button. This will send your request to the Web server.

6. Analyze the response from the Web server for any error messages. Most database error messages will look similar to the examples below:

Example error 1:
Microsoft OLE DB Provider for SQL Server error ‘80040e14’
Unclosed quotation mark before the character string ’51 ORDER BY
some_name’. /some_directory/some_file.asp, line 5

Example error 2:
ODBC Error Code = S1000 (General error)
[Oracle][ODBC][Ora]ORA-00933: SQL command not properly ended

Example error 3:
Error: 1353 SQLSTATE: HY000 (ER_VIEW_WRONG_LIST)
Message: View’s SELECT and view’s field list have different column counts

7. Sometimes the error message is not obvious and is hidden in the source of the page. To look for it, you must view the HTML source of the page and search for the error. To do this in Internet Explorer, click the ‘View’ menu, and select the ‘Source’ option. This will cause notepad to open with the HTML source of the page. In notepad, click the ‘Edit’ menu and select ‘Find’. A dialog box will appear that will ask you to ‘Find What’. Type the phrase ‘Microsoft OLE DB’ or ‘[ODBC]’ and click ‘Find Next’.

8. If either step 6 or 7 is successful, then the Web site is vulnerable to SQL injection.

For More Such learning POC Subscribe to YouTube Channel-: https://www.youtube.com/channel/UCS7EGEUlV6Sr7VUnzhBBZrg

Thank you for reading do not forget to Leave Comments Below………..

--

--

ShuttlerTech

Senior Cyber Security Analyst| YouTuber| Freelancer| Cyber Security Trainer | Penetration Tester| Cyber Forensics Investigator