In the ever-evolving world of cybersecurity, few vulnerabilities remain as persistent – and as dangerous – as SQL Injection (SQLi). It’s the kind of flaw that can turn a simple web form into a gateway for full database compromise. Whether you’re a penetration tester, bug bounty hunter, or just curious about how these attacks work, understanding SQLi is essential.
This blog dives into a real-world example of SQL injection exploitation using sqlmap, one of the most powerful tools in the offensive security arsenal.
The Target: Identifying a Vulnerable Endpoint
At first glance, it looks harmless. But if the backend fails to sanitize the uid parameter, it could be wide open to SQL injection.
A simple test payload might look like this:
https://example.com/attendance/example/handler.php?uid=123456′ OR ‘1’=’1&term=1
This classic ‘ OR ‘1’=’1 injection attempts to manipulate the SQL query logic. If successful, it could bypass authentication, expose sensitive data, or even allow full database access.
Weapon of Choice: sqlmap
sqlmap is a go-to tool for automating SQL injection detection and exploitation. It’s fast, flexible, and supports a wide range of injection techniques.
Here’s how to launch a basic scan:
sqlmap -u “https://example.com/attendance/example/handler.php?uid=123456&term=1” –batch –risk=3 –level=5 –dbs
What this does:
- Scans the URL for SQL injection vulnerabilities.
- Uses high-risk and deep-level tests.
- Enumerates available databases.
Once databases are found, you can dig deeper:
sqlmap -u “https://example.com/attendance/example/handler.php?uid=123456&term=1” -D target_db –tables
And to extract data from a specific table:
sqlmap -u “https://example.com/attendance/example/handler.php?uid=123456&term=1” -D target_db -T users –dump
Injection Techniques: More Than Just ' OR '1'='1
SQL injection isn’t one-size-fits-all. Depending on the target, different techniques may be more effective:
| Technique | Description |
|---|---|
| Boolean-based blind | Infers data by sending true/false conditions |
| Time-based blind | Uses delays (e.g., SLEEP(5)) to detect injection points |
| Error-based | Forces the database to return error messages with useful info |
| Union-based | Combines results from multiple queries using UNION SELECT |
And don’t limit yourself to GET parameters. SQLi can lurk in:
- POST bodies
- Cookies
- HTTP headers (User-Agent, Referer)
- JSON/XML API payloads
sqlmap supports all of these vectors with options like –data, –cookie, and –headers.
Defense: How to Shut the Door
If you’re on the defensive side, here’s how to keep attackers out:
- Use parameterized queries or prepared statements.
- Validate and sanitize all user inputs.
- Deploy Web Application Firewalls (WAFs).
- Conduct regular security audits and penetration tests.
- Stay updated with the latest CVE disclosures and patch vulnerabilities promptly.
Final Thoughts
SQL injection is more than just a textbook vulnerability—it’s a real threat that continues to plague insecure applications. Tools like sqlmap make it easier than ever to test and exploit these flaws, but they also serve as a reminder of why secure coding practices matter.
Whether you’re learning, testing, or defending, understanding SQLi is a must-have skill in your cybersecurity toolkit.