← back to cookbook

sql.injection

database query manipulation and exploitation techniques

Overview

SQL injection exploits occur when user input is improperly sanitized before being included in SQL queries. Attackers can manipulate database operations to bypass authentication, extract data, or execute commands.

Attack Vectors

  • Authentication bypass
  • Data extraction
  • Database enumeration
  • Command execution

Example

-- vulnerable query
SELECT * FROM users
WHERE email = '[INPUT]'
AND password = '[INPUT]'
-- payload
' OR 1=1--
-- result
SELECT * FROM users
WHERE email = '' OR 1=1--'
AND password = '...'

Available Challenges

Basic SQL Injection

Fundamental injection techniques using string concatenation

BeginnerAvailable

Blind SQL Injection

Inference-based exploitation without direct output

IntermediateDevelopment
-

Time-Based SQL Injection

Timing-based blind exploitation techniques

AdvancedDevelopment
-

References

PortSwigger Web Security Academy - SQL InjectionOWASP SQL Injection DocumentationSQL Injection Cheat Sheet