sql injection type details

Posted by barello at 2020-03-04

When I first learned about SQL injection, I was confused by the classification of SQL injection types. Later, I found that everyone was divided according to the "types" given on sqlmap. So, today, I will classify SQL injection according to what I have learned, and explain some very important and useful knowledge during injection. I believe it is very useful for beginners.

This article mainly uses Mysql to explain, and focuses on the discussion of the whole SQL injection type, as well as some important details in these injection types, so it will not explain the specific syntax and semantics of SQL statements too much.

As we know, sqlmap has a parameter that can directly specify the type to be used for injection:

--technique=BEISTQU [ Boolean-based blind, Error-based queries, Inline queries, Stacked queries, Time-based blind, UNION query ]

--technique=BEISTQU Boolean-based blind Error-based queries, Inline queries Stacked queries Time-based blind UNION query

However, in terms of practical logic, it is difficult to understand such division. Beustqu is an injection method, which has nothing to do with the type. It is very important to understand this.

When talking about sqli, the first important point to pay attention to is to determine the parameter attribute type of injection location. The parameter attribute types of injection location include shape and character type. The real meaning of distinguishing them is that the statement following the shape parameter does not need to "break the variable area", that is, we can input characters here as part of SQL statement. Sometimes web developers just escape user input without paying attention to the processing of some shaping parameters. In this case, they can inject directly.

The second point is that the type of HTTP request message used for injection is get, post or other.

HTTP Request

The third point is the location of the injection point in the HTTP request message. For example, the header field of HTTP message, including cookie, user agent, etc., may also have SQL injection. For example, the developer records the user browser type to the database. At this time, the header field of user agent is used. If the developer is very careless, the injection may occur.


Sqlmap Level 2 will test cookies, level 3 will test user agent and referer, and level 5 will test host.

First order Injection

The first type, because it is all translated, I prefer to call it level one injection. The first level injection takes place in the place where the application interacts with the user, and the user information obtained by the web application may be injected

In-band SQLi

The first type of the first type is called "in band SQL Injection", which means that the attacker can directly interact with the victim host face to face. It has been compared that there is an "information channel" between the attacker and the victim server, through which the attacker can obtain the desired information.

Union select sqli (direct echo)

Joint query SQL injection, which is the simplest type of injection, usually uses union select or other statements to query data directly after judging the number of columns in the query result of SQL statement through order by, and the data is directly echoed.

order by union select

This type injection can be understood according to the following statement:


In Chinese, "error reporting SQL Injection", attackers can't get the execution results of their query statements directly from the page, but through some special methods, they can show it back, with a little taste of blind annotation. Error reporting injection generally causes error information through special database functions, and the error echo information leaks these query information.

There are as many as 12 kinds of error reporting functions in MySQL (just read them and collect them, without verification), but in fact, you may only need to be familiar with two or three kinds, which may be helpful for WAF. Here are two ways I use them:

1. Extractvalue function.


Statement followed by and / or / | / &


or 1 and extractvalue(1, concat(0x3a, (select @@version),0x3a))

There are also the following operations. The injection point occurs in the limit shaping parameter of the SQL statement, which can be directly followed by the shaping parameter (from hackinglab)

?start=0 procedure analyse(extractvalue(rand(),concat(1,(select @@version))),1)

2. The RAND + count function, combined with union, and / or / | / | / & & can be very flexible.

rand+count AND/OR/||/&&

union select count(*),concat(0x3a,0x3a,(select @@version),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;

AND(select 1 from (select count(*),concat(0x3a,0x3a,(select @@version),0x3a,0x3a,floor(rand()*2))a from mysql.user group by a)b)

Blind SQLi ( Inferential SQLi )

Blind injection is also called logical inference injection. In this case, the attacker can not get the wrong echo information of the database, nor the echo information of the query results, but can get the data through other information for logical inference.



Boolean injection: construct a Boolean statement to logically connect with the front through and. When the Boolean statement is true, the page should display normally. When the statement is false, the page will display abnormally or show less. It's worth noting that in practice, when the Boolean value is false, it may behave as HTTP 500, when the Boolean value is true, it may behave as HTTP 200, and there are various other situations, which is also the essence of logical reasoning.

HTTP 500 HTTP 200

There are also some details to be noted. In the logic judgment of computer language, the priority of and is usually higher than or. When judging Boolean value, if the left side of or is true, the right side will not execute. For and, if the left Boolean value is false, the right side will skip and not execute.

MySQL is a bit magical, which seems to have no impact on it, but we still need to develop good habits. In MSSQL and Oracle, we need to pay attention to it, as shown in the following figure:

Use Boolean blind annotation to obtain MySQL database data. For example, query whether the ASCII decimal value of the first byte of the database name is greater than 100. There are the following statements:

and ascii(substr(database(),1,1))>100

Or use like's method:

and substr(database(),1,1) like 'm'

and substr(database(),1,2) like 'my'

You can also use the "breakthrough delay injection" method, because delay injection and Boolean injection are essentially the same, so this method can also be used here. If you are interested, you can see freebuf's open class.

It is also important to note that PHP and MySQL are both weakly typed languages. In mysql, you can have

select passwd from users where username='xx' or 1

But in MSSQL and Oracle

select passwd from users where username='xx' or 1=1

Think about MySQL's weakness.

Time-based SQLi

Time-based SQLi

The principle of delayed blind annotation is roughly as follows: when a query result is true, let the peer database wait for a certain time to return, otherwise it will return immediately. The performance of waiting is that the browser is not refreshed and the peer server is not responding.

In MySQL and MSSQL, when the query result is true, the time function is used to sleep, while Oracle has no time function, so the same purpose will be achieved by querying large tables and big data in Oracle. In mysql, there are:

and if(ascii(substr(database(),1,1))>100,sleep(10),null)

Logical inference injection takes a lot of time, and has to be done by tools or small scripts. In sqlmap, you can directly specify time-based blind note to run through -- technology t.

technique t

Out-of-band SQLi

This attack mode of out of band data (OOB) has this concept in all kinds of blind attacks, such as in xxE blind annotation. The author's understanding of OOB type SQL injection is that in the SQL injection attack, the attacker's payload code executed successfully, but due to various factors, the result can't reply the attacker's HTTP request through HTTP response, and the attacker can't get the data generated by payload from this "channel". In OOB, the attacker constructs a special payload to let the victim host send HTTP request or DNS query to the specified host, and these request packets carry the data of query results.

OOB OOB HTTP Response HTTP Request OOB

For example, under MySQL:

select load_file(concat('\\\\',version(),'\\a.txt'));

The specific DNS query message is as follows:

Second order Injection

The second type is secondary injection. In general, web developers may pay attention to the places where they interact with users. Naturally, there are few SQL injection vulnerabilities in these places. And developers may be very trusting in the information from the database, and this is the opportunity for attackers - even the data from the database is not reliable.

In the 24 gates of sqli labs, after registering a user name of 'admin' or '1' =, we use the user to log in and change the password of the user to 123. We can find that the password of the user admin is changed to 123

sqli-labs 'admin' or '1'='1 123 admin 123

When resetting the password, the SQL statement used is:

UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass'

Because the value of variable $username is queried from the database, the developer does not filter it, so SQL injection is generated. When we change the password, we actually change the password of the admin account.

$username admin


Stacked queries

Stack query refers to that multiple statements can be executed at the same time in a database statement query. As the following example, we executed two statements in one MSSQL database injection at the same time:

select username from usertable where passwd='123';waitfor delay '0:0:5' --%20

Stack queries are essentially other injection methods, but the results of stack queries cannot be directly echoed. Generally, we can try to use delay injection, OOB and other methods to obtain data in stack queries.


Please refer to the following figure for details about the precondition of stack query:

You can also bypass WAF by using stored procedures in stacked queries. This article is a good example:

Inline Queries

The author of sqlmap has given this name or used it. The Chinese translation just conflicts with the inner join. The author has been confused for a long time. It was later discovered that the Inline Queries refer to the Inline View. Inline views can create temporary tables and are useful in some query situations.

Inline Queries

If there is a user address table with zip code of user zip code, and another table user score, the score of each user is recorded, and the two tables have the same column "user ID".

User_Address ZIP_CODE User_Score “User_ID”

If we want to find out the zip code of users scoring more than 200, we can do it in one sentence by using the inline view, as follows:

Refer to SQL inline view

SQL Inline View


In the explanation of clause label in the boundaries.xml document of sqlmap, the author gives 10 cases that they think there are injection points in SQL statements, as follows:

boundaries.xml clause

There are four situations of inline queries sqli, i.e. 1, 2, 3 and 8. I try to use sqlmap to inject the inline queries statement of MySQL. I find that the injection mode recognized by sqlmap is not inline queries, but there is a payload in the source code. I have never encountered this kind of injection, and I can only express doubts about it.

Inline Queries SQLI 1、2、3、8 Inline Queries Inline Queries


The general outline of this article began to be written a week after the author learned SQL injection. At that time, the author was very angry. Why can't I find an article that can help me understand the type of SQL injection, so I decided to understand and write one by myself. After a lot of study and modification, this article came out. At first, I wanted to add some "advanced points", but it didn't match the title of the article. Even if I had a chance, I'd like to make it up again. I hope this article can help you, thank you!