AlbusSec:- Penetration-List 06 SQL Injection (SQLi) — Sample 1

Albus Security
4 min readApr 23, 2022

Hello Cybersecurity folk, I hope that you liked the previous series of Cross-Site-Scripting(XSS), On that series of articles, you’ll learn about Basic-XSS-technique, Dom-XSS, and XSS bypass technique. Now I’ll start a series of articles on SQL injection in which you’ll about SQLi, exploitation, and bypass tricks. Firstly, I will introduce myself. So, I’m Aniket Tyagi and I’m an Information Technology officer at the 5f eco foundation of India, an Information Security Researcher, and the founder of Albus Security. Without Wasting Your chakra, let’s get started.

SQL Injection Vulnerability:-

An SQL injection is a defenselessness for the injection of SQL queries that an application uses to interact with the database. If a web application is vulnerable to SQL then it allows an attacker to view data from the database and also allows an attacker to make some changes to a database. mainly SQL injection can lead to PII leaks, data loss, the escalation of privilege, and other vulnerabilities that can be chained with SQL injection.

  • Types of SQL Injection
  • Error Based SQL Injection
  • Union Based SQL Injection
  • Boolean Based SQL Injection
  • Time-Based SQL Injection
  • GET-Based -SQL-Injection Exploitation
  • POST-Based-SQL-Injection Exploitation
  • Header and Cookie-Based-SQL-Injection Exploitation
  • Automation
  • Basic WAF Bypass
  • Advanced WAF Bypass
  • Real-World Example

Types of SQL Injection:-

SQL injections Will be found with three methods: In-band SQLi(Error-Based and Union Based), Blind-SQLi(Boolean-Based and Time-Based), and Out-of-band SQLi(For Penetration-List, I’ll explain only In-band-SQLi and Blind-SQLi).


In Union-Based and Error-Based SQL injection an attacker will play with SQL query by seeing the behavior of Web Application, However, let’s talk about Error-Based SQL injection, the attacker injects some malicious query to a web server that causes the database to produce an error message in response, therefore an attacker can potentially use that error log to retrieve information from the database because that error log provides critical Information to an attacker.


In Union-Based-SQL-Injection, An attacker will use this technique to get multiple select statements generated by the database to get a single response. therefore whenever you find that your target is vulnerable to error-based SQL injection means with the help of error-based, You’ll find out how many columns were used under the queries for the database then to retrieve information from the database, and then an attacker will take advantage of the UNION SQL operator. In our Exploitation part, We’ll learn how we’ll do this.

Boolean Based SQL Injection:-

Boolean-Based or Time-Based SQL Injection is a part of blind SQL injection in which an attacker will send the malicious query to the server and observes the response of the server to learn about the mechanism. But why do we call it “blind-SQL” whenever you’ll inject a malicious query to generate an error log for confirmation that the server is vulnerable to SQL injection, but in blind-SQL injection, You’ll not get any error log because the server will change that errored response to normal response In Simple Word Blind-SQL-Injection only depends upon response patterns not error logs of the server. so it might be typically slower to exploit this and also it is more harmful than error-based. Firstly, We’ll learn about Boolean-Based-SQL-Injection. In Boolean-Based an attacker sends a Malicious query through Input/URL to the database to accept the response from the application. However, that response will be depending on whether the query is True or False. Basically, the Boolean word is used only for True or False. Therefore We’ll play with sending True or False Queries to the database. So If the Server is vulnerable to Boolean-Based-SQL-Injection so whenever you send a query with false then you’ll see some changes on the response for confirmation after this You’ll send a query again with the true value then you’ll get a normal response from the server. We’ll learn more deeply about the exploitation faced.


Sometimes, Whenever you’ll send a query with a False value, but In response, you’ll not see anything, therefore You’ll try another method of Blind-SQL Injection that is known as Time-Based-SQL-Injection. In Time-Based-SQL-Injection an attacker sends a Malicious query to the database, whenever the database sees a malicious query then it waits before it can react because we’ll define a time to the database for the wait before sending any response to the user. With the help of this function, An Attacker will use this time delay function. But How? So if an attacker will enter the right information that was present in the server, therefore, An attacker will also define if that query is true and then wait for a particular time. that’s when an attacker will retrieve a piece of information from the database. In Simple Words. An Attacker will define that if the query is true then wait for a particular time if the query is not true then ignore the time delay. After Completing this You got a basic idea about SQLInjection and types of Injection.

Today the article is basically for beginners to get only a basic idea about SQL injection Vulnerability. therefore In our Next article, We’ll learn how we’ll apply malicious queries and where we can. Drops some clap on it. Because One clap will motivate me to make thousands of articles for You, Thank You for Reading.