SQL Injection

Introduction

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details.

What is SQL?

SQL stands for Structured Query Language, which is a computer language for storing, manipulating, and retrieving data stored in a relational database. SQL is the standard language for Relational Database System. MS SQL Server uses T-SQL, Oracle uses PL/SQL, the MS Access version of SQL is called JET SQL (native format), etc.

Basics

• You can learn SQL Injection basics from the given link below.

W3Schools.comwww.w3schools.com

What is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy

SQL Injection Cheat Sheet

SQL Injection Cheat Sheetwww.netsparker.com

SQLMap

• sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

• It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches, from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover toolGitHub

After gaining knowledge of SQLMap, you should need to know:

• Enumeration of databases

• Enumeration of Tables in a Database

• Dump the data from the database

• Spawning an OS Shell with SQLMap

Damn Small SQLi Scanner

Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.

GitHub - stamparm/DSSS: Damn Small SQLi ScannerGitHub