Question

I’m learning about SQL injection vulnerabilities and want to know how to test for them manually on a sample application. What types of payloads should I try, and what signs indicate a potential vulnerability? Also, what precautions should I take to avoid unintended effects while testing?

Any guidance on basic, safe SQL injection testing techniques would be appreciated.

Answer 1

Testing SQL injection manually requires carefully crafted queries to observe how an application responds to unexpected input.

1. Identify Input Fields

• Look for input fields in the application that might interact with a database, such as search boxes, login forms, or URL parameters (e.g., example.com?id=1).

2. Common Test Payloads

Start with simple payloads to check for unexpected database behavior:

• ' OR '1'='1 — Often used to bypass authentication checks.
• ';-- — Attempts to terminate the current query and may expose vulnerabilities.
• ' UNION SELECT NULL,NULL — Used to test for union-based SQL injection; modify columns as needed.

3. Indicators of Vulnerability

• Error Messages: Database-related errors (e.g., SQL syntax errors) may indicate vulnerability.
• Changes in Page Behavior: If injecting special characters changes the app’s response (like bypassing login with admin'--), it could suggest a SQL injection risk.
• Unexpected Data Exposure: If you see data from other tables (using payloads like UNION SELECT), this confirms a serious vulnerability.

4. Testing Techniques

• Boolean-based Testing: Try payloads that will yield true or false results. For example, entering 1' AND '1'='1 or 1' AND '1'='2 and observing differences in response helps determine if the input is influencing the SQL query.
• Time-based Testing: For cases with no visible error, use time delay queries to confirm SQL execution. For instance, 1' AND SLEEP(5)-- may delay response time, revealing a blind SQL injection vulnerability.

5. Precautions

• Only Test on Authorized Applications: Testing without permission is illegal. Use your own setup or authorized environments (e.g., DVWA).
• Back Up Data: SQL injection tests may alter data; always test on non-production environments or with backups in place.
• Limit Dangerous Payloads: Avoid destructive queries (DROP TABLE, DELETE) to prevent unintended data loss.

6. Ethical Hacking Tools for Safe Testing

• Tools like Burp Suite or SQLmap automate testing but can also run manually crafted queries in controlled conditions.