SQL Injection

Welcome to the SQL Injection module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.

Introduction

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details.

What is SQL?
SQL stands for Structured Query Language, which is a computer language for storing, manipulating, and retrieving data stored in a relational database. SQL is the standard language for Relational Database System. MS SQL Server uses T-SQL, Oracle uses PL/SQL, the MS Access version of SQL is called JET SQL (native format), etc.

Basics

You can learn SQL Injection basics from the given link below.

SQL Injection Cheat Sheet

SQLMap

sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches, from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

After gaining knowledge of SQLMap, you should need to know:

Enumeration of databases
Enumeration of Tables in a Database
Dump the data from the database
Spawning an OS Shell with SQLMap

Damn Small SQLi Scanner

Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.

PreviousSniffing NextHacking Web Applications & Servers

Last updated 2 years ago