Vulnarex | Elite Cybersecurity Learning Platform

#Detecting SQL Injection Points#link

Before exploiting SQL injection, you must first identify where vulnerabilities exist. This lesson covers systematic approaches to discovering SQL injection points in web applications through manual testing and observation.

Building on our understanding of SQL injection fundamentals, we now focus on practical identification techniques that form the foundation of any SQL injection assessment.

Common Injection Points

SQL injection can occur anywhere user input is processed by the application. The most common injection points include URL parameters, form fields, HTTP headers, and cookies.

▪URL parameters: ?id=1, ?user=admin, ?category=books
▪Form inputs: login fields, search boxes, contact forms
▪HTTP headers: User-Agent, X-Forwarded-For, Referer
▪Cookies: session tokens, preference settings
▪API endpoints: JSON payloads, XML data

Manual Detection Techniques

The most reliable way to identify SQL injection is through manual testing. This involves sending specially crafted inputs and observing the application's response for signs of vulnerability.

bash

# Basic SQL injection test payloads
' OR '1'='1
' OR 1=1--
" OR "" = ""
' UNION SELECT NULL--
1' AND '1'='1
1; DROP TABLE users--

Error-Based Detection

One of the most straightforward detection methods is to trigger database errors. When an application displays database error messages, it often reveals the underlying database type and query structure.

Testing for Error-Based Detection

root@vulnarex:~#curl 'http://target.com/product.php?id=1\(opens in new tab)''

info

💡 Different databases produce different error messages. MySQL, PostgreSQL, MSSQL, and Oracle each have distinctive error formats that can help identify the database type.

Boolean-Based Detection

When error messages are suppressed, boolean-based detection can reveal vulnerabilities by comparing responses to true and false conditions.

bash

# True condition - should return normal results
http://target.com/product.php?id=1 AND 1=1

# False condition - should return no results or error
http://target.com/product.php?id=1 AND 1=2

STRICT SECURE AUDIT RULE

⚠️ Always document your testing methodology and obtain proper authorization before testing any application. Keep detailed records of all tests performed.

Time-Based Detection

When neither errors nor boolean differences are visible, time-based detection uses database delay functions to confirm injection. If the application response is delayed, injection is likely possible.

bash

# MySQL time-based test
http://target.com/product.php?id=1 AND SLEEP(5)

# PostgreSQL time-based test
http://target.com/product.php?id=1 AND pg_sleep(5)

# MSSQL time-based test
http://target.com/product.php?id=1; WAITFOR DELAY '0:0:5'

quiz BLOCK (★ 50 XP)

Which of the following is the most reliable method for confirming SQL injection when error messages are disabled?

Select your proof vectors above

Identifying SQL Injection Vulnerabilities

#Detecting SQL Injection Points#link

Common Injection Points

Manual Detection Techniques

Error-Based Detection

Boolean-Based Detection

Time-Based Detection

Which of the following is the most reliable method for confirming SQL injection when error messages are disabled?

Verification Proof Checkpoint