SQL Injection
intermediate
sql
injection
database
union
blind
Most of the attacks will occurs in one of these:
- Select
- Insert
- Update
- Order By
- Where
There are two types of Ordering in Sql injection:
- First-Order Sql Injection (Directly takes from HTTP)
- Second-Order Sql Injection (Takes from HTTP and Stores for future use)
Example Attack Chains (Realistic Progression)
π§ͺ Beginner Scenario:
Login form vulnerable to simple
' OR '1'='1
β‘οΈ Login bypass
β‘οΈ Union-based SQLi to extract credentials
π Intermediate Scenario:
No visible errors β use Boolean Blind SQLi
β‘οΈ Extract usernames via logical inferences
β‘οΈ Find secondary injection in profile edit β exploit via Second-Order SQLi
𧨠Advanced Scenario:
SQLi in admin panel β drop shell via
OUTFILE
β‘οΈ Gain shell access
β‘οΈ Upload ransomware or C2 beacon
β‘οΈ Begin lateral movement
π Pro Tip: SQL Injection β Ransomware Risk
Many high-profile ransomware events began with SQLi as the initial access vector.
Examples:
-
CVE-2023-34362 (MOVEit Transfer) β SQLi to RCE β Cl0p ransomware
-
CVE-2019-11510 (Pulse Secure) β Not SQLi but paired with credential theft and lateral movement for ransomware ops
| Level | Description | Complexity | Common Types at This Level | Impact |
|---|---|---|---|---|
| Level 0 | No Injection | π’ | - N/A (secure) | App uses parameterized queries or ORM |
| Level 1 | Basic Injection / Syntax Breaking | π‘ Beginner | - Error-Based - Classic In-Band SQLi |
Errors returned in response; may reveal DB structure |
| Level 2 | Data Extraction | π‘ Beginner | - Union-Based SQLi - Error-Based SQLi |
Attacker can read usernames, emails, credit card data |
| Level 3 | Blind Injection | π Intermediate | - Boolean-Based - Time-Based (Delayed Response) |
App doesnβt show errors, but attacker infers true/false or timing |
| Level 4 | Authentication Bypass | π Intermediate | - Classic - Boolean-Based SQLi |
Login as admin without password |
| Level 5 | Stored / Second-Order SQLi | π΄ Advanced | - Second-Order SQLi - Delayed Execution |
Payload stored and executed later β hard to detect |
| Level 6 | Out-of-Band SQLi (OOB) | π΄ Advanced | - OOB via DNS/HTTP - Data exfil to attacker server |
Uses network interaction, often bypasses WAFs |
| Level 7 | Data Manipulation / Destruction | π΄ Advanced | - INSERT/UPDATE/DELETE SQLi - Privilege Escalation |
Changes or deletes data, may create new admin accounts |
| Level 8 | File System Access / Code Execution | π₯ Expert | - SQLi leading to RCE - File writes via SQL (e.g., SELECT INTO OUTFILE) |
Drops shells or malware on the server |
| Level 9 | Pivot to Ransomware / Lateral Movement | π₯π₯ Expert | - Chained SQLi β RCE β Pivoting | Used by APTs and ransomware gangs to move inside networks |
| Level 10 | Full System/Domain Compromise | β οΈ Nation-State Level | - SQLi β Domain Controller Access - Rootkits, full TTP chain |
Seen in sophisticated, targeted attacks |
| π§ Level | π£ Attack Type | 𧩠Techniques Involved | π― Attack Goal | π οΈ Complexity |
|---|---|---|---|---|
| Level 1 | Syntax Error Injection | ' OR 1=1--, ', ", mismatched quotes |
Identify injectable fields, basic bypass | π’ Beginner |
| Level 2 | Error-Based SQLi | Break query to trigger DB errors | Discover DB type, structure | π’ Beginner |
| Level 3 | Union-Based SQLi | UNION SELECT injections |
Extract user data, schema | π‘ Beginner |
| Level 4 | Boolean Blind SQLi | AND 1=1, AND 1=2 |
Infer data via true/false behavior | π Intermediate |
| Level 5 | Time-Based Blind SQLi | SLEEP(5), WAITFOR DELAY |
Infer data via timing responses | π Intermediate |
| Level 6 | Authentication Bypass | ' OR '1'='1, admin'-- |
Gain unauthorized access | π Intermediate |
| Level 7 | Second-Order SQLi | Stored injection (profile forms, comments) | Trigger SQL later in internal processes | π΄ Advanced |
| Level 8 | Out-of-Band SQLi | LOAD_FILE(), DNS/HTTP exfil |
Exfiltrate data without response | π΄ Advanced |
| Level 9 | SQLi β File Write / Shell Upload | SELECT ... INTO OUTFILE |
Drop web shells, lateral movement | π₯ Expert |
| Level 10 | SQLi to RCE β Ransomware Deployment | SQLi + OS commands (xp_cmdshell, sys_exec) |
Full system control, ransomware detonation | β οΈ Nation-State / APT level |
| π’ Level | π§ Complexity | π£ Example CVE / Case | π’ Affected Vendor / Product | π CVSS | π¨ Exploited in Wild | π¦ Ransomware Linked? |
|---|---|---|---|---|---|---|
| L1 | Beginner | No CVE (Recon-level injection) | Generic login forms | N/A | No | No |
| L2 | Beginner | CVE-2021-25094 | WordPress Plugin Simple File List | 7.5 | No | No |
| L3 | Beginner | CVE-2022-0492 | WordPress Plugin Booking Calendar | 8.8 | No | No |
| L4 | Intermediate | CVE-2020-2551 | Oracle WebLogic Server | 9.8 | β Yes | β οΈ Initial Access Vector |
| L5 | Intermediate | CVE-2018-7600 (Drupalgeddon 2) | Drupal CMS | 9.8 | β Yes | β Used in web shells & ransomware |
| L6 | Intermediate | CVE-2021-22941 | Fortinet FortiWeb | 7.2 | Yes (PoC available) | Possibly |
| L7 | Advanced | CVE-2021-21311 | Grafana (stored XSS β SQLi risk) | 7.1 | No | Not directly |
| L8 | Advanced | CVE-2020-9484 | Apache Tomcat (via serialized objects) | 9.8 | β Yes | π₯ Remote shell deployment path |
| L9 | Expert | CVE-2023-34362 | MOVEit Transfer (Progress Software) | 9.8 | β Actively Exploited | β Cl0p Ransomware |
| L10 | Nation-State | CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus | 9.8 | β Yes | β Used in APT attacks + ransomware |