SQL Injection TryHackMe

Overview

SQL Injection (SQLi) happens when attacker-controlled input is used to build a database query without safe parameterization. Impact ranges from data disclosure to authentication bypass and (in some cases) RCE via DB features.

PT1 focus: quickly identify SQLi type (error/union/boolean/time), confirm impact, and document a clean reproduction + remediation.

Databases (quick context)

Relational DBs: MySQL, PostgreSQL, MSSQL, SQLite (tables/rows/columns).
Keys: primary key uniquely identifies a row; often used for lookups and IDOR/SQi combos.
NoSQL exists too, but this room is classic relational SQLi.

Detection: SQLi types (high-signal)

Baseline first: capture a normal request/response and compare size/status/time when you test payloads.

Error-based SQLi

App returns DB errors (syntax, type conversion, stack traces).
Fastest confirmation but sometimes suppressed in prod.

UNION-based SQLi (data extraction)

Use UNION SELECT to merge attacker-controlled rows into the response.
Requires matching column count and compatible types.

Boolean-based blind SQLi

No errors/output, but response changes based on true/false conditions.
Example: different page content, different result count, different redirect.

Time-based blind SQLi

No visible output; confirm via consistent delay when condition is true.
MySQL example: SLEEP(5). PostgreSQL: pg_sleep(5). MSSQL: WAITFOR DELAY '00:00:05'.

Exploitation workflow (exam-ready)

Find injection point: query param, POST body, header, cookie.
Confirm controllability: quote break / boolean flip / timing.
Figure out column count (for UNION): increment ORDER BY or UNION NULLs.
Find reflected column(s): replace NULL with marker values.
Extract essentials: DB/user/version → table names → columns → target data.

Rule: prove impact with minimal data. Don’t dump everything. Capture evidence.

Payload snippets (keep it practical)

Column count

1' ORDER BY 1-- -
1' ORDER BY 2-- -
1' ORDER BY 3-- -

UNION skeleton

1' UNION SELECT NULL-- -
1' UNION SELECT NULL,NULL-- -
1' UNION SELECT NULL,NULL,NULL-- -

Find visible column

1' UNION SELECT 'INJECT',NULL,NULL-- -
1' UNION SELECT NULL,'INJECT',NULL-- -

Useful info

-- MySQL-ish examples
1' UNION SELECT @@version, user(), database()-- -

Blind boolean

1' AND 1=1-- -
1' AND 1=2-- -

Blind time

1' AND SLEEP(5)-- -
1' AND (SELECT 1 FROM (SELECT SLEEP(5))x)-- -

Cheat sheet: if you need more payload variants: payload-box/sql-injection-payload-list

Remediation (what to write in the report)

Use parameterized queries / prepared statements (no string concatenation).
Server-side validation (allowlist types/ranges), but don’t rely on filtering alone.
Least privilege DB user (no DROP/FILE/admin grants for the web app).
Hide verbose errors in production; log internally.
WAF can help, but it’s not a fix.

Exam Notes (PT1)

Always classify the SQLi type: error / union / boolean / time.
Capture two requests: baseline and exploit, with clear diff.
Show the smallest proof that demonstrates impact (e.g., version, current user, single record).
If UNION fails, switch to blind techniques (boolean/time) and document the oracle.