Show Menu

SQL Injection Attacks: Concepts, Tools, Techniques Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.


SQL Injection is the act of inserting data into an SQL query through the input data given to an applic­ation by a client.


Lack of input validation
Usage of untrusted code
Lack of adherence to best practices
Server config­uration issues
Client­-pr­ovided inform­ation used in query

Structure of an SQL Query

select <co­l> from <ta­ble> where <fi­eld> = <va­lue­>;
In this case: col, table, field, and value are all places where injection could happen.

Escaping the Intent of the Query

SELECT name, pass FROM users WHERE user_id = '" + $id + "­'";
%' or '1'='1
All names and passwords
1' UNION SELECT 1, @@version -- -
A name and MySQL Version
1' UNION SELECT distin­ct(­tab­le_­sch­ema­),null FROM inform­ati­on_­sch­ema.tables
All Schema Inform­ation

State of the Art - Latest Techniques

SQL Injection through Ads
Forces compro­mised server to serve the attacker's ads
Chaining of Attacks
Utilizing techniques such as camel-­casing, escape characters and character codes to get around protec­tions
Inform­ation Schema
Dumping the Inform­ation Schema to learn more about the database
Multi-Line Comments
Using multi-line comments (/**/) to bypass defensive techniques
Utilizing obfusc­ation to mask attacks
SQL Union
Using SQL UNION along with attacks above to mask attacks

Successful Attacks May

Modify Database Data
Read Sensitive Inform­ation
Execute Operations as an Admini­strator
Recover Files Present on the Database System
Issue Commands to the Database System's OS


In many applic­ations, direction access to the database is the easiest means of access. Thus, a simple form-based authen­tic­ation or web query may be one step away from intera­cting with a database. With this knowledge in hand, a skilled attacker could use cleverly crafted SQL queries to gain root level access and further attack the network.

Modern Injection Tools

User-f­riendly GUI for automatic SQL Injection
Open source penetr­ation testing tool
Google dorks
Advance web searches that are used to finger­print web servers
BSQL Hacker
Made for Blind SQL Injection
Provide the tool with a URL and it does the rest

Mitigation Techniques

Input Validation
Make sure all client­-su­pplied inform­ation is sanitized
Use Parame­terized Queries
Separates the develo­per's SQL query from client input
Stored Procedures
Store SQL queries in the database itself and only provide sanitized input
Whitelist Input Validation
Only accept the inform­ation you want, make sure it doesn't affect query intent
Front-­end­/Ba­ck-end Design
Don't let the applic­ation interact directly with the database
Least Privilege
In the event of a compro­mise, limit the damage
Patch Your Systems
Keep your servers up to date
Keep a log of all queries, preferable on a remote server