How to Perform SQL Injection Attacks for Security Assessments

November 28, 20234 min read

Introduction to SQL Injection

  • SQL Injection (SQLi) is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
  • The vulnerability is present when user inputs are not correctly sanitized, allowing attackers to manipulate SQL queries executed by the backend database.
  • It is often used by attackers to gain unauthorized access to data, such as customer information, personal details, trade secrets, etc.

Prerequisites for SQL Injection Testing

  • Understanding of SQL: Profound knowledge of SQL is necessary to craft effective injection attacks.
  • Knowledge of Database Structures: Awareness of common database systems like MySQL, PostgreSQL, Microsoft SQL Server, etc.
  • Legal Permission: Written authorization from the owner of the target system to perform the assessment.
  • Security Assessment Tools: Familiarity with tools like SQLMap, Havij, or manual tools such as Burp Suite, OWASP ZAP.
  • Safe Testing Environment: A non-production environment should be used, mirroring the live system to avoid any data loss or service disruption.

Identifying Injection Points

  1. Discover All User Inputs:
    • Identify all forms, query strings, cookies, and HTTP headers where user input is accepted.
  2. Simple Tests for Vulnerability:
    • Input a single quote (') to test for errors.
    • Look for server error messages that indicate a syntax error.
  3. Use Automated Tools:
    • Run tools like SQLMap to automatically test inputs.
  4. Analyzing Responses:
    • Examine the responses from the server for any SQL error messages or anomalies.

Types of SQL Injection Attacks

  1. In-band SQLi (Classic):
    • Error-based SQLi: Exploit the database errors.
    • Union-based SQLi: Use the UNION SQL operator to retrieve data.
  2. Inferential SQLi (Blind):
    • Boolean-based blind: True or false questions infer data.
    • Time-based blind: Time delays indicate true or false conditions.
  3. Out-of-band SQLi:
    • Rely on the server’s ability to make DNS or HTTP requests.

Crafting the Attack

  1. Information Gathering:
    • Use information_schema to get details about the database.
  2. Data Extraction:
    • Craft statements to select data from the database.
    • Techniques may include using UNION SELECT, batched queries, etc.
  3. Exploiting Database Vulnerabilities:
    • Attempt to read/write files on the database server.
    • Explore possibilities for escalating into the operating system.

Automated SQL Injection Tools

  • SQLMap: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.
  • Havij: A user-friendly tool with a Graphical User Interface (GUI) for automated SQL injections.

Preventing False Positives

  • Verify every potential vulnerability by manually confirming the SQL injection.
  • Crosscheck the results obtained from automated tools.


  • Pivot to Internal Systems: Use the compromised database as a foothold to further penetrate internal networks.
  • Maintain Access: Check if the vulnerability can be used to maintain persistent access.
  • Data Exfiltration: Safely copy the data without affecting the system’s integrity, following the assessment rules.

Ethical and Legal Considerations

  • Always have explicit, written permission before performing any security testing.
  • Be aware of laws and regulations pertaining to cyber security in your jurisdiction.
  • Ethically, one should report all findings to the organization and not disclose any data without consent.


  • Document each vulnerability discovered with proof of concept.
  • Rate the severity of each vulnerability.
  • Propose remediation measures and best practices to prevent such vulnerabilities.


SQL Injection attacks for security assessments must be performed methodically and ethically. A tester must ensure they are authorized to perform these attacks and should aim to improve the security posture of the application by responsibly disclosing vulnerabilities. Remember, SQL injection is a serious threat, and performing it without permission is illegal and unethical. Always conduct security assessments in a controlled and secure environment.